Platform
go
Component
github.com/centrifugal/centrifugo/v6
Fixed in
6.7.1
6.7.0
CVE-2026-32301 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Centrifugo v6, a Go-based real-time messaging server. This flaw allows unauthenticated attackers to manipulate JWT claims and force Centrifugo to make outbound HTTP requests to arbitrary destinations. Versions prior to 6.7.0 are vulnerable; upgrading is the recommended remediation.
The SSRF vulnerability in Centrifugo arises from improper handling of dynamic JWKS endpoint URLs using template variables within JWT verification. An attacker can craft a malicious JWT with carefully chosen iss or aud claims. These claims are interpolated into the JWKS fetch URL before the token signature is verified. This allows the attacker to control the destination of the HTTP request Centrifugo makes, potentially exposing internal resources or enabling unauthorized access to external services. The impact is severe, as an attacker can potentially read sensitive data, execute commands on internal systems, or pivot to other networks.
CVE-2026-32301 was publicly disclosed on 2026-03-13. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32301 is to upgrade Centrifugo to version 6.7.0 or later, which includes the fix. If upgrading immediately is not feasible, implement strict URL validation on the JWKS endpoint URL to prevent the interpolation of attacker-controlled values. This can be achieved by whitelisting allowed characters or using a more secure templating engine. Consider implementing a Web Application Firewall (WAF) with rules to block outbound requests to suspicious destinations. Regularly review and audit JWT configuration to ensure proper validation and prevent future SSRF vulnerabilities.
Update Centrifugo to version 6.7.0 or higher. This version fixes the SSRF vulnerability by correctly validating JWT claims before interpolating them into the JWKS endpoint URL.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32301 is a critical SSRF vulnerability in Centrifugo v6 where attackers can manipulate JWTs to force outbound HTTP requests.
You are affected if you are using Centrifugo v6 prior to version 6.7.0 and have dynamic JWKS endpoint URLs.
Upgrade to Centrifugo v6.7.0 or later. If immediate upgrade is not possible, implement strict URL validation on the JWKS endpoint URL.
There is currently no indication of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the Centrifugo security advisory on their GitHub repository for detailed information and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.