FKIE_CVE-2026-32301

Vulnerability from fkie_nvd - Published: 2026-03-13 19:54 - Updated: 2026-03-18 18:02
Severity
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.
References
security-advisories@github.comhttps://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552Exploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
centrifugal centrifugo *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:centrifugal:centrifugo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FFE4B883-6865-417B-B19A-92020BB6F2BB",
              "versionEndExcluding": "6.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."
    },
    {
      "lang": "es",
      "value": "Centrifugo es un servidor de mensajer\u00eda en tiempo real escalable de c\u00f3digo abierto. Antes de la versi\u00f3n 6.7.0, Centrifugo es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) cuando se configura con una URL de endpoint JWKS din\u00e1mica utilizando variables de plantilla (p. ej., {{tenant}}). Un atacante no autenticado puede crear un JWT con un valor de reclamaci\u00f3n \u0027iss\u0027 o \u0027aud\u0027 malicioso que se interpola en la URL de obtenci\u00f3n de JWKS antes de que se verifique la firma del token, lo que hace que Centrifugo realice una petici\u00f3n HTTP saliente a un destino controlado por el atacante. Esta vulnerabilidad se corrige en la versi\u00f3n 6.7.0."
    }
  ],
  "id": "CVE-2026-32301",
  "lastModified": "2026-03-18T18:02:29.327",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-13T19:54:41.477",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.