CVE-2026-32301
SSRF in Centrifugo JWKS URL Allows Unauthenticated Requests
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| centrifugal | centrifugo | to 6.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-32301 is a critical Server-Side Request Forgery (SSRF) vulnerability in Centrifugo versions prior to 6.7.0. It occurs when Centrifugo is configured with a dynamic JWKS (JSON Web Key Set) endpoint URL that uses template variables, such as {{tenant}}.
An unauthenticated attacker can craft a malicious JWT containing specially crafted issuer (iss) or audience (aud) claims. These claims are interpolated directly into the JWKS URL before the token signature is verified, causing Centrifugo to make an HTTP request to an attacker-controlled server.
This happens because the token is parsed without verification first, then claims are extracted and used to build the JWKS URL, which triggers the SSRF request before any signature verification occurs.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to perform SSRF attacks, enabling them to make Centrifugo send HTTP requests to attacker-controlled or internal network destinations.
- Attackers can probe internal network services, including cloud metadata endpoints such as AWS (169.254.169.254) or GCP metadata servers, potentially stealing IAM credentials.
- Attackers can serve malicious JWKS responses with their own public keys, allowing them to forge valid tokens and bypass authentication entirely.
Overall, this leads to a high confidentiality impact by exposing sensitive internal services and credentials, while integrity impact is low and availability is not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring outbound HTTP requests made by Centrifugo to unexpected or attacker-controlled domains, especially those involving JWKS endpoint URLs with template variables.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to observe network traffic for HTTP requests to suspicious or unusual domains that match the pattern of the dynamic JWKS URL configured with template variables.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing Centrifugo logs for connections using JWT tokens with unusual iss or aud claim values that cause JWKS fetches to external hosts can help identify attempts.'}, {'type': 'list_item', 'content': 'Use network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the Centrifugo server.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP requests on port 80 or 443: sudo tcpdump -i any -n -s 0 -A 'tcp port 80 or tcp port 443 and src host <centrifugo_ip>'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the JWKS endpoint URL with crafted JWT tokens containing suspicious iss or aud claims to see if Centrifugo makes outbound requests.'}, {'type': 'list_item', 'content': 'Check Centrifugo configuration files for JWKS URLs that use template variables (e.g., {{tenant}}) and verify if regex extraction is used on JWT claims.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade Centrifugo to version 6.7.0 or later, where this SSRF vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, consider removing or disabling the use of dynamic JWKS endpoint URLs that include template variables derived from JWT claims such as iss or aud.'}, {'type': 'paragraph', 'content': "Restrict JWKS URL template variables to only use the JWT header field 'kid', which is not user-controlled, to prevent arbitrary claim injection."}, {'type': 'paragraph', 'content': 'Review and modify the verification logic to ensure token signature verification occurs before any HTTP requests are made to fetch JWKS keys.'}, {'type': 'paragraph', 'content': 'Monitor network traffic for suspicious outbound requests and block or alert on requests to unexpected external domains from the Centrifugo server.'}] [1]