CVE-2026-32301 (GCVE-0-2026-32301)
Vulnerability from cvelistv5 – Published: 2026-03-12 21:19 – Updated: 2026-03-13 13:09
VLAI
EPSS
VEX
Title
Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL
Summary
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.
Severity
9.3 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/centrifugal/centrifugo/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| centrifugal | centrifugo |
Affected:
< 6.7.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32301",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T13:09:43.696846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T13:09:57.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "centrifugo",
"vendor": "centrifugal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T21:19:03.862Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552"
}
],
"source": {
"advisory": "GHSA-j77h-rr39-c552",
"discovery": "UNKNOWN"
},
"title": "Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32301",
"datePublished": "2026-03-12T21:19:03.862Z",
"dateReserved": "2026-03-11T21:16:21.658Z",
"dateUpdated": "2026-03-13T13:09:57.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32301",
"date": "2026-07-09",
"epss": "0.00258",
"percentile": "0.17135"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32301\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-13T19:54:41.477\",\"lastModified\":\"2026-06-17T10:35:31.590\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.\"},{\"lang\":\"es\",\"value\":\"Centrifugo es un servidor de mensajer\u00eda en tiempo real escalable de c\u00f3digo abierto. Antes de la versi\u00f3n 6.7.0, Centrifugo es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) cuando se configura con una URL de endpoint JWKS din\u00e1mica utilizando variables de plantilla (p. ej., {{tenant}}). Un atacante no autenticado puede crear un JWT con un valor de reclamaci\u00f3n \u0027iss\u0027 o \u0027aud\u0027 malicioso que se interpola en la URL de obtenci\u00f3n de JWKS antes de que se verifique la firma del token, lo que hace que Centrifugo realice una petici\u00f3n HTTP saliente a un destino controlado por el atacante. Esta vulnerabilidad se corrige en la versi\u00f3n 6.7.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"centrifugal\",\"product\":\"centrifugo\",\"versions\":[{\"version\":\"\u003c 6.7.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-13T13:09:43.696846Z\",\"id\":\"CVE-2026-32301\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:centrifugal:centrifugo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.7.0\",\"matchCriteriaId\":\"FFE4B883-6865-417B-B19A-92020BB6F2BB\"}]}]}],\"references\":[{\"url\":\"https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-03-27T07:42:19+00:00",
"cve": "CVE-2026-32301",
"id": "CVE-2026-32301",
"initial_release_date": "2026-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32301.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL\", \"source\": {\"advisory\": \"GHSA-j77h-rr39-c552\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"centrifugal\", \"product\": \"centrifugo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552\", \"name\": \"https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-12T21:19:03.862Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32301\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T13:09:43.696846Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-13T13:09:53.246Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32301\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T21:19:03.862Z\", \"dateReserved\": \"2026-03-11T21:16:21.658Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-12T21:19:03.862Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…