SCA: security update for github.com/centrifugal/centrifugo/v6 (GHSA-j77h-rr39-c552)

critical Tenable Cloud Security Plugin ID 438795

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable
to Server-Side Request Forgery (SSRF) when configured with a dynamic JWKS endpoint URL using template
variables (e.g. {{tenant}}). An unauthenticated attacker can craft a JWT with a malicious iss or aud claim
value that gets interpolated into the JWKS fetch URL before the token signature is verified, causing
Centrifugo to make an outbound HTTP request to an attacker-controlled destination. This vulnerability is
fixed in 6.7.0. (CVE-2026-32301)

Solution

Update the github.com/centrifugal/centrifugo/v6 library and its related packages to version 6.7.0 or later.

See Also

https://github.com/advisories/GHSA-j77h-rr39-c552

Plugin Details

Severity: Critical

ID: 438795

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/14/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.77

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:P/A:N

CVSS Score Source: CVE-2026-32301

CVSS v3

Risk Factor: Critical

Base Score: 9.3

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/13/2026

Vulnerability Publication Date: 3/12/2026

Reference Information

CVE: CVE-2026-32301

cwe: CWE-918