Server-Side Request Forgery Vulnerability in Centrifugo Real-Time Messaging Server
CVE-2026-32301

9.3CRITICAL

Key Information:

Vendor: Centrifugal
Status: Centrifugo
Vendor: CVE Published:; 12 March 2026

🔔 Create Centrifugal Vulnerability Alert

What is CVE-2026-32301?

Centrifugo, an open-source scalable real-time messaging server, is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL that utilizes template variables. An unauthenticated attacker can exploit this vulnerability by crafting a malicious JWT with inappropriate 'iss' or 'aud' claim values. These manipulated claims enable the attacker to interpolate their values into the JWKS fetch URL, leading Centrifugo to execute an outbound HTTP request to a location controlled by the attacker. This issue is resolved in version 6.7.0 of Centrifugo.

Affected Version(s)

centrifugo < 6.7.0

References

https://github.com/centrifugal/centrifugo/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32301 Data

JSON