CVE-2026-32301

Name of the Vulnerable Software and Affected Versions Centrifugo versions prior to 6.7.0

Description Centrifugo is susceptible to a Server-Side Request Forgery (SSRF) condition when configured with a dynamic JWKS endpoint URL that utilizes template variables, such as {{tenant}}. An unauthenticated attacker can construct a JWT with a malicious iss or aud claim value. This malicious value is then interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to initiate an outbound HTTP request to a destination controlled by the attacker. The root cause is that signature verification occurs after the URL interpolation, allowing an attacker to manipulate the request destination. The vulnerability exists in the internal/jwtverify/token verifier jwt.go file, specifically within the VerifyConnectToken and VerifySubscribeToken functions. The functions parse the token without initial verification, decode claims, and then use these claims to construct the JWKS URL before signature verification. This allows an attacker to control the URL used for fetching the JWKS, leading to SSRF. The issue is exacerbated by a suppressed security linter comment that incorrectly states the URL is solely from server configuration, when it is partially derived from user-supplied JWT claims. Exploitation can lead to internal network reconnaissance, access to metadata endpoints on cloud deployments, and potentially full authentication bypass if the attacker can serve a malicious JWKS response.

Recommendations Update to Centrifugo version 6.7.0 or later.