CVE-2026-32301
📋 TL;DR
Centrifugo versions before 6.7.0 are vulnerable to Server-Side Request Forgery (SSRF) when configured with dynamic JWKS endpoint URLs. An unauthenticated attacker can craft malicious JWT claims that get interpolated into JWKS fetch URLs before signature verification, forcing the server to make outbound HTTP requests to attacker-controlled destinations. This affects all Centrifugo deployments using dynamic JWKS endpoint templates.
💻 Affected Systems
- Centrifugo
📦 What is this software?
Centrifugo by Centrifugal
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains internal network access, exfiltrates sensitive data, or performs lateral movement by making Centrifugo proxy requests to internal services.
Likely Case
Attacker uses Centrifugo as a proxy to scan internal networks, access metadata services, or perform denial-of-service attacks against internal systems.
If Mitigated
Limited to external network scanning or minimal impact if outbound HTTP requests are heavily restricted.
🎯 Exploit Status
Exploitation requires understanding of JWT claims and JWKS configuration, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.7.0
Vendor Advisory: https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552
Restart Required: Yes
Instructions:
1. Download Centrifugo 6.7.0 or later from official sources. 2. Replace existing Centrifugo binary with new version. 3. Restart Centrifugo service.
🔧 Temporary Workarounds
Disable dynamic JWKS endpoints
allRemove template variables from JWKS endpoint URLs in Centrifugo configuration.
Edit centrifugo configuration file and replace any JWKS URLs containing {{variables}} with static URLs
Restrict outbound HTTP
linuxUse firewall rules to limit Centrifugo's outbound HTTP connections to only trusted JWKS endpoints.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -d trusted.jwks.endpoint -j ACCEPT
🧯 If You Can't Patch
- Implement network segmentation to restrict Centrifugo's outbound HTTP access to only necessary JWKS endpoints.
- Deploy a web application firewall (WAF) with SSRF protection rules to block malicious outbound requests.
🔍 How to Verify
Check if Vulnerable:
Check Centrifugo configuration for JWKS endpoints containing template variables like {{tenant}}. If present and version < 6.7.0, system is vulnerable.Check Version:
centrifugo versionVerify Fix Applied:
Verify Centrifugo version is 6.7.0 or higher using version check command and confirm no dynamic JWKS endpoints in configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Centrifugo process to non-standard JWKS endpoints
- Failed JWKS fetch attempts to unexpected domains
Network Indicators:
- HTTP requests from Centrifugo server to unexpected internal or external IP addresses
- Unusual port scanning activity originating from Centrifugo server
SIEM Query:
source="centrifugo" AND (url="*{{*" OR destination_ip NOT IN ["trusted_jwks_ips"])