CVE-2026-32301

CriticalPublic PoC

Published: 13 March 2026

Published

13 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0010 27.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with…

a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted JWT claims (iss/aud) before interpolating them into JWKS fetch URLs, directly preventing SSRF exploitation.

IA-13 Identity Providers and Authorization Servers good match

prevent

Restricts JWKS endpoints to organization-approved identity providers and authorization servers, blocking dynamic fetches to arbitrary attacker-controlled destinations.

SC-7 Boundary Protection partial match

prevent

Monitors and controls outbound communications at system boundaries to block unauthorized HTTP requests to attacker-specified hosts.

Security SummaryAI

CVE-2026-32301 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in Centrifugo, an open-source scalable real-time messaging server. It affects versions prior to 6.7.0 when configured with a dynamic JSON Web Key Set (JWKS) endpoint URL that uses template variables, such as {{tenant}}. In this setup, claim values from a JSON Web Token (JWT) are interpolated into the JWKS fetch URL before the token's signature verification occurs.

An unauthenticated attacker can exploit the vulnerability by crafting a JWT with malicious iss or aud claim values. These values cause Centrifugo to fetch the JWKS from an attacker-controlled destination via an outbound HTTP request. The CVSS v3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), reflecting critical severity with network accessibility, low attack complexity, no privileges or user interaction required, changed scope, high confidentiality impact, and low integrity impact.

The vulnerability is fixed in Centrifugo version 6.7.0. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552.

Details

CWE(s): CWE-918

Affected Products

centrifugal

centrifugo

≤ 6.7.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in public-facing Centrifugo real-time messaging server enables unauthenticated exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com