CVE-2026-32301Server-Side Request Forgery in Centrifugo

CWE-918Server-Side Request Forgery6 documents5 sources
Severity
9.3CRITICALNVD
EPSS
0.1%
top 77.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Centrifugal CentrifugoGithub.com Centrifugal Centrifugo V6Github.com Centrifugal Centrifugo+3 more
Timeline
PublishedMar 13
Latest updateMar 26

Description

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.7

Affected Packages7 packages

CVEListV5centrifugal/centrifugo< 6.7.0

🔴Vulnerability Details

4
OSV
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL in github.com/centrifugal/centrifugo2026-03-26
GHSA
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL2026-03-13
OSV
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL2026-03-13
CVEList
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL2026-03-12

🕵️Threat Intelligence

1
Wiz
CVE-2026-32301 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32301 — Server-Side Request Forgery | cvebase