CVE-2026-32301 is a critical vulnerability identified in Centrifugo, an open-source scalable real-time messaging server. This vulnerability allows for Server-Side Request Forgery (SSRF) when the server is configured with a dynamic JWKS endpoint URL that utilizes template variables, such as {{tenant}}. An unauthenticated attacker can exploit this vulnerability by crafting a JWT with a malicious 'iss' or 'aud' claim value, which is then interpolated into the JWKS fetch URL before the token signature is verified. Consequently, Centrifugo may make outbound HTTP requests to an attacker-controlled destination, which poses significant security risks. The vulnerability has been addressed in version 6.7.0, released on March 13, 2026.
The severity of this vulnerability is classified as critical, with a CVSS score of 9.3. This high score reflects the potential impact on confidentiality, as sensitive data may be exposed due to unauthorized access, while integrity may be partially compromised. The low attack complexity and lack of required privileges for exploitation further emphasize the urgency for organizations to act. Given the potential for exploitation, organizations should prioritize patching immediately.
Currently, there is no known public exploit confirmed for this vulnerability, and it is not listed in the Known Exploited Vulnerabilities (KEV) database. However, the nature of SSRF vulnerabilities indicates that they could be leveraged in various attack scenarios, potentially allowing attackers to access internal resources or services.
Organizations running versions of Centrifugo prior to 6.7.0 should take immediate action to remediate this vulnerability. This includes updating to the latest version as soon as possible and reviewing configurations that utilize dynamic JWKS endpoints.
Vulnerability Details
The vulnerability is classified under CWE-918, which corresponds to "Server-Side Request Forgery (SSRF)". The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N. This indicates that the attack vector is network-based, with low complexity, no privileges required, and no user interaction necessary. The potential impacts are high for confidentiality, low for integrity, and none for availability.
The vulnerability affects all versions of Centrifugo prior to 6.7.0, and organizations are strongly encouraged to upgrade to the latest patched version to mitigate this risk.
Technical Analysis
The root cause of this vulnerability lies in the improper handling of user-supplied input when generating the JWKS fetch URL. By allowing template variables in the URL, an attacker can manipulate the JWT claims to redirect outbound requests to arbitrary domains, which may lead to unintended data exposure or further attacks on internal services.
The attack vector for this vulnerability is network-based, allowing attackers to exploit it remotely without any physical access to the target system. Given that no user interaction is required, this vulnerability poses a significant risk to organizations utilizing Centrifugo.
As there are no privilege requirements, any unauthenticated user can potentially exploit this vulnerability, making it critical for organizations to address it promptly. The impacts on confidentiality are high, as sensitive data may be leaked through unauthorized HTTP requests. The integrity impact is low, indicating that while data may be accessed, it is not necessarily altered. There are no availability impacts associated with this vulnerability.
Risk & Impact Analysis
The real-world deployment risk associated with CVE-2026-32301 is significant, particularly for organizations utilizing Centrifugo in a multi-tenant environment. Attackers may leverage this vulnerability to access sensitive internal services, leading to data breaches or unauthorized access to critical infrastructure. The blast radius potential is extensive, especially if the compromised system has access to other critical systems or sensitive data.
Given the critical nature of the vulnerability and its high CVSS score, organizations should assess their exposure and prioritize remediation efforts. The urgency for organizations to patch this vulnerability cannot be overstated, as the potential impacts on confidentiality and data integrity are severe.
Organizations should also consider implementing additional monitoring and network controls to detect any attempts to exploit this vulnerability before they are remediated.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
Centrifugo versions prior to 6.7.0 are affected by this vulnerability. Organizations should ensure they upgrade to version 6.7.0 or later to mitigate the risk.
Mitigation & Remediation
To remediate CVE-2026-32301, organizations should upgrade to Centrifugo version 6.7.0 or later. If patching is not immediately feasible, consider implementing workarounds by disabling the use of dynamic JWKS endpoint URLs or by applying strict input validation to prevent the exploitation of this vulnerability. Additionally, organizations should review access controls and ensure that monitoring mechanisms are in place to identify any unauthorized requests.
For further guidance and to understand best practices, organizations may want to explore penetration testing to assess their security posture and identify any other potential vulnerabilities.
Detection Guidance
Organizations should monitor logs for unusual outbound requests originating from the Centrifugo server, particularly requests directed towards unknown or suspicious domains. Additionally, behavioral anomalies in JWT processing or unexpected increases in traffic could indicate exploitation attempts.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2026-32301 is reflected in the growing trend of SSRF vulnerabilities being exploited in real-world attacks. Security teams should take this opportunity to enhance their security practices, especially around dynamic URL configurations and the handling of JWT claims.
This vulnerability represents a pattern where misconfigurations in server settings can lead to severe security incidents. Organizations must prioritize security training to ensure developers and system administrators understand the risks associated with SSRF and similar vulnerabilities.
For further insights on vulnerability management, organizations can refer to vulnerability management programs and best practices in security testing to bolster their defenses.
Additionally, understanding the landscape of ransomware attacks can help organizations mitigate risks associated with potential exploitation of vulnerabilities like CVE-2026-32301. Organizations should stay informed by reviewing resources such as the 2025 ransomware statistics to understand emerging threats.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)