Plattform
go
Komponente
github.com/centrifugal/centrifugo/v6
Behoben in
6.7.1
6.7.0
CVE-2026-32301 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Centrifugo v6, a Go-based real-time messaging server. This flaw allows unauthenticated attackers to manipulate JWT claims and force Centrifugo to make outbound HTTP requests to arbitrary destinations. Versions prior to 6.7.0 are vulnerable; upgrading is the recommended remediation.
The SSRF vulnerability in Centrifugo arises from improper handling of dynamic JWKS endpoint URLs using template variables within JWT verification. An attacker can craft a malicious JWT with carefully chosen iss or aud claims. These claims are interpolated into the JWKS fetch URL before the token signature is verified. This allows the attacker to control the destination of the HTTP request Centrifugo makes, potentially exposing internal resources or enabling unauthorized access to external services. The impact is severe, as an attacker can potentially read sensitive data, execute commands on internal systems, or pivot to other networks.
CVE-2026-32301 was publicly disclosed on 2026-03-13. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing Centrifugo v6 for real-time messaging, particularly those with dynamic JWKS endpoint configurations or those exposing Centrifugo to untrusted networks, are at significant risk. Shared hosting environments where Centrifugo instances are deployed alongside other applications are also vulnerable.
• linux / server:
journalctl -u centrifugo | grep -i "request to" && journalctl -u centrifugo | grep -i "jwks"• generic web:
curl -I <centrifugo_endpoint>/connect | grep -i "Location:"• generic web:
Inspect Centrifugo configuration files for dynamic JWKS endpoint URLs using template variables (e.g., {{tenant}}).
disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32301 is to upgrade Centrifugo to version 6.7.0 or later, which includes the fix. If upgrading immediately is not feasible, implement strict URL validation on the JWKS endpoint URL to prevent the interpolation of attacker-controlled values. This can be achieved by whitelisting allowed characters or using a more secure templating engine. Consider implementing a Web Application Firewall (WAF) with rules to block outbound requests to suspicious destinations. Regularly review and audit JWT configuration to ensure proper validation and prevent future SSRF vulnerabilities.
Aktualisieren Sie Centrifugo auf Version 6.7.0 oder höher. Diese Version behebt die SSRF-Schwachstelle, indem sie die JWT-Claims vor der Einfügung in die JWKS-Endpunkt-URL korrekt validiert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32301 is a critical SSRF vulnerability in Centrifugo v6 where attackers can manipulate JWTs to force outbound HTTP requests.
You are affected if you are using Centrifugo v6 prior to version 6.7.0 and have dynamic JWKS endpoint URLs.
Upgrade to Centrifugo v6.7.0 or later. If immediate upgrade is not possible, implement strict URL validation on the JWKS endpoint URL.
There is currently no indication of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the Centrifugo security advisory on their GitHub repository for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.