CVE-2026-32301
Published: 13 March 2026
Summary
CVE-2026-32301 is a critical-severity SSRF (CWE-918) vulnerability in Centrifugal Centrifugo. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted JWT claims (iss/aud) before interpolating them into JWKS fetch URLs, directly preventing SSRF exploitation.
Restricts JWKS endpoints to organization-approved identity providers and authorization servers, blocking dynamic fetches to arbitrary attacker-controlled destinations.
Monitors and controls outbound communications at system boundaries to block unauthorized HTTP requests to attacker-specified hosts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing Centrifugo real-time messaging server enables unauthenticated exploitation of a public-facing application.
NVD Description
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with…
more
a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0.
Deeper analysisAI
CVE-2026-32301 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in Centrifugo, an open-source scalable real-time messaging server. It affects versions prior to 6.7.0 when configured with a dynamic JSON Web Key Set (JWKS) endpoint URL that uses template variables, such as {{tenant}}. In this setup, claim values from a JSON Web Token (JWT) are interpolated into the JWKS fetch URL before the token's signature verification occurs.
An unauthenticated attacker can exploit the vulnerability by crafting a JWT with malicious iss or aud claim values. These values cause Centrifugo to fetch the JWKS from an attacker-controlled destination via an outbound HTTP request. The CVSS v3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), reflecting critical severity with network accessibility, low attack complexity, no privileges or user interaction required, changed scope, high confidentiality impact, and low integrity impact.
The vulnerability is fixed in Centrifugo version 6.7.0. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552.
Details
- CWE(s)