Centrifugo RCE (CVE-2026-32301)

Overview

A critical Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2026-32301, has been discovered in Centrifugo, a popular open-source real-time messaging server. This flaw allows an unauthenticated attacker to manipulate the server into making unauthorized outbound HTTP requests to internal or external systems.

Vulnerability Explained

In simple terms, this vulnerability exists in Centrifugo configurations that use a dynamic URL to fetch JSON Web Key Sets (JWKS) for verifying user tokens. When the JWKS endpoint URL contains template variables (like {{tenant}}), Centrifugo inserts values from a user’s JWT token into this URL before checking if the token’s signature is valid.

An attacker can craft a malicious JWT with a manipulated iss (issuer) or aud (audience) claim. When Centrifugo processes this token, it plugs the attacker’s controlled value into the JWKS URL and immediately attempts to fetch keys from that resulting address. Since this happens before signature verification, even an invalid or unsigned token can trigger the request.

Potential Impact

The impact of this vulnerability is severe (CVSS score: 9.3). By exploiting this SSRF flaw, an attacker can:

• Probe and potentially access internal services and systems that are not normally exposed to the internet.
• Exfiltrate sensitive data from internal APIs or metadata services (like those in cloud environments).
• Use Centrifugo as a proxy to launch further attacks against other backend systems.

This could lead to significant data breaches and network compromise. For context on the damage caused by data exposure, recent incidents are documented in our breach reports.

Remediation and Mitigation

Primary Action: Update Immediately The vulnerability is fixed in Centrifugo version 6.7.0. All users running versions prior to 6.7.0 must upgrade to this version or later as soon as possible.

Immediate Mitigation (If Update is Delayed): If an immediate upgrade is not feasible, review your Centrifugo configuration. If you are using a dynamic JWKS endpoint URL (e.g., one containing {{tenant}} or similar variables), you must temporarily switch to a static, hard-coded JWKS URL that does not rely on token claims for construction. This will break the attack vector until the patch can be applied.

Verification: After updating, verify that your JWKS configuration is secure and that the new version is running correctly. Regularly monitor your infrastructure for unusual outbound traffic, which can be an indicator of attempted exploitation.

Staying informed on such critical vulnerabilities is crucial for maintaining security. For the latest updates on threats and patches, follow our security news.