This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: CVE-2026-32301 is a critical SSRF flaw in **Centrifugo**. <br>π₯ **Consequences**: Attackers can trigger **Server-Side Request Forgery** via crafted JWTs.β¦
π‘οΈ **Root Cause**: **CWE-918** (SSRF). <br>π **Flaw**: Improper configuration of the **dynamic JWKS endpoint URL**. The server fails to validate the source of the JWT signing keys, allowing malicious redirection. β οΈ
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **Centrifugo** (Real-time messaging server by Centrifugal Labs). <br>π **Version**: All versions **before 6.7.0**. <br>π’ **Vendor**: Centrifugal Labs. π
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: <br>1. **SSRF**: Force the server to request internal resources. <br>2. **Auth Bypass**: Exploit the JWT validation loop. <br>3.β¦
π **Threshold**: **LOW**. <br>π **Auth**: **None required** (Unauthenticated). <br>βοΈ **Config**: Requires only the dynamic JWKS feature to be enabled. <br>π **Network**: Remote exploitation possible. π
Q6Is there a public Exp? (PoC/Wild Exploitation)
π§ͺ **Public Exploit**: **No**. <br>π **PoC**: The provided data lists **empty** PoCs (`pocs: []`). <br>β οΈ **Risk**: Despite no public code, the CVSS score indicates high exploitability. Be cautious! π
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Check Centrifugo version (`< 6.7.0`). <br>2. Audit config for **dynamic JWKS URL** settings. <br>3. Monitor logs for unusual JWT validation requests to internal IPs. π
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **Yes**. <br>π§ **Patch**: Upgrade to **Centrifugo 6.7.0** or later. <br>π **Ref**: [GitHub Advisory GHSA-j77h-rr39-c552](https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552). π
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: <br>1. **Disable** dynamic JWKS endpoints if not strictly needed. <br>2. **Whitelist** allowed JWKS URLs strictly. <br>3. Apply **WAF** rules to block SSRF patterns in JWT claims. π‘οΈ
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **HIGH**. <br>π **Priority**: **P1**. <br>π **CVSS**: High severity (C:H, S:C). <br>β³ **Action**: Patch immediately upon upgrade to v6.7.0. Do not ignore! β‘