PT-2026-27296 · Go · Github.Com/Centrifugal/Centrifugo/V6

Published

2026-03-13

·

Updated

2026-03-13

CVSS v3.1

0.0

None

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N

Summary

Centrifugo supports a configuration flag insecure skip token signature verify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.
Note: This vulnerability requires the operator to have explicitly set insecure skip token signature verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.

Details

The flag is defined in internal/configtypes/types.go:
InsecureSkipTokenSignatureVerify bool `mapstructure:"insecure skip token signature verify"`
It is passed directly to token verification in internal/client/handler.go:
token, err := h.tokenVerifier.VerifyConnectToken(e.Token, 
  cfg.Client.InsecureSkipTokenSignatureVerify)
In token verifier jwt.go, when skipVerify=true the entire signature block is bypassed:
go
if !skipVerify {
  // This block never executes
  err = verifier.verifySignature(token)
}
The flag is configurable via multiple vectors making accidental exposure likely:
  • Config file: insecure skip token signature verify: true
  • Environment variable: CENTRIFUGO INSECURE SKIP TOKEN SIGNATURE VERIFY=true
  • YAML, TOML config formats
Despite hmac secret key being configured, startup logs show "enabled JWT verifiers" — falsely implying verification is active.

PoC

Config with legitimate HMAC key but skip flag enabled:
json
{
 "client": {
  "insecure skip token signature verify": true,
  "token": { "hmac secret key": "legitimate-production-secret-key" }
 }
}
Token signed with completely wrong key is fully accepted:
VULNERABILITY CONFIRMED!
Connected as user: {'client': '899dec73...', 'version': '0.0.0 OSS'}
No security warning emitted when insecure skip token signature verify=true: 1
Token signed with wrong key accepted, authentication bypass confirmed: 2
skipVerify flag propagated from config to all token verification calls: 3

Impact

  • Any unauthenticated user can connect as any arbitrary user ID
  • Complete authentication bypass — attacker sets any sub claim value
  • No indicators in logs that the server is operating insecurely
  • Easily triggered accidentally via environment variable injection in containerized deployments (e.g. misconfigured Kubernetes secrets)
  • Affects all connection types: WebSocket, HTTP-streaming, SSE, GRPC

Suggested Fix

  1. Emit a loud startup warning when flag is enabled:
go
if cfg.Client.InsecureSkipTokenSignatureVerify {
  log.Warn().Msg("SECURITY WARNING: JWT signature verification is " +
    "DISABLED via insecure skip token signature verify - " + 
    "DO NOT use in production!")
}
  1. Consider requiring an additional explicit insecure mode: true flag to prevent accidental single-flag misconfiguration
  2. Log a warning on every accepted token when skip is active

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

GHSA-Q926-C743-49QJ

Affected Products

Github.Com/Centrifugal/Centrifugo/V6