Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning
GHSA-q926-c743-49qj
Summary
### Summary
Centrifugo supports a configuration flag `insecure_skip_token_signature_verify` that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signatu...
What to do
- Update github.com centrifugal to version 6.7.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | centrifugal | <= 6.6.2 | 6.7.0 |
Original title
Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning
Original description
### Summary
Centrifugo supports a configuration flag `insecure_skip_token_signature_verify` that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.
Note: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.
### Details
The flag is defined in `internal/configtypes/types.go`:
```
InsecureSkipTokenSignatureVerify bool `mapstructure:"insecure_skip_token_signature_verify"`
```
It is passed directly to token verification in `internal/client/handler.go`:
```
token, err := h.tokenVerifier.VerifyConnectToken(e.Token,
cfg.Client.InsecureSkipTokenSignatureVerify)
```
In `token_verifier_jwt.go`, when `skipVerify=true` the entire signature block is bypassed:
```go
if !skipVerify {
// This block never executes
err = verifier.verifySignature(token)
}
```
The flag is configurable via multiple vectors making accidental exposure likely:
- Config file: `insecure_skip_token_signature_verify: true`
- Environment variable: `CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true`
- YAML, TOML config formats
Despite `hmac_secret_key` being configured, startup logs show `"enabled JWT verifiers"` — falsely implying verification is active.
### PoC
Config with legitimate HMAC key but skip flag enabled:
```json
{
"client": {
"insecure_skip_token_signature_verify": true,
"token": { "hmac_secret_key": "legitimate-production-secret-key" }
}
}
```
Token signed with completely wrong key is fully accepted:
```
VULNERABILITY CONFIRMED!
Connected as user: {'client': '899dec73...', 'version': '0.0.0 OSS'}
```
No security warning emitted when insecure_skip_token_signature_verify=true:
Token signed with wrong key accepted, authentication bypass confirmed:
skipVerify flag propagated from config to all token verification calls:
### Impact
- Any unauthenticated user can connect as any arbitrary user ID
- Complete authentication bypass — attacker sets any `sub` claim value
- No indicators in logs that the server is operating insecurely
- Easily triggered accidentally via environment variable injection
in containerized deployments (e.g. misconfigured Kubernetes secrets)
- Affects all connection types: WebSocket, HTTP-streaming, SSE, GRPC
### Suggested Fix
1. Emit a loud startup warning when flag is enabled:
```go
if cfg.Client.InsecureSkipTokenSignatureVerify {
log.Warn().Msg("SECURITY WARNING: JWT signature verification is " +
"DISABLED via insecure_skip_token_signature_verify - " +
"DO NOT use in production!")
}
```
2. Consider requiring an additional explicit `insecure_mode: true` flag to prevent accidental single-flag misconfiguration
3. Log a warning on every accepted token when skip is active
Centrifugo supports a configuration flag `insecure_skip_token_signature_verify` that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at all. Critically, no warning is logged at startup or runtime when this flag is active, making it invisible to operators and security auditors.
Note: This vulnerability requires the operator to have explicitly set insecure_skip_token_signature_verify=true. The core issue is the absence of any warning when this flag is active, making accidental production exposure undetectable.
### Details
The flag is defined in `internal/configtypes/types.go`:
```
InsecureSkipTokenSignatureVerify bool `mapstructure:"insecure_skip_token_signature_verify"`
```
It is passed directly to token verification in `internal/client/handler.go`:
```
token, err := h.tokenVerifier.VerifyConnectToken(e.Token,
cfg.Client.InsecureSkipTokenSignatureVerify)
```
In `token_verifier_jwt.go`, when `skipVerify=true` the entire signature block is bypassed:
```go
if !skipVerify {
// This block never executes
err = verifier.verifySignature(token)
}
```
The flag is configurable via multiple vectors making accidental exposure likely:
- Config file: `insecure_skip_token_signature_verify: true`
- Environment variable: `CENTRIFUGO_INSECURE_SKIP_TOKEN_SIGNATURE_VERIFY=true`
- YAML, TOML config formats
Despite `hmac_secret_key` being configured, startup logs show `"enabled JWT verifiers"` — falsely implying verification is active.
### PoC
Config with legitimate HMAC key but skip flag enabled:
```json
{
"client": {
"insecure_skip_token_signature_verify": true,
"token": { "hmac_secret_key": "legitimate-production-secret-key" }
}
}
```
Token signed with completely wrong key is fully accepted:
```
VULNERABILITY CONFIRMED!
Connected as user: {'client': '899dec73...', 'version': '0.0.0 OSS'}
```
No security warning emitted when insecure_skip_token_signature_verify=true:
Token signed with wrong key accepted, authentication bypass confirmed:
skipVerify flag propagated from config to all token verification calls:
### Impact
- Any unauthenticated user can connect as any arbitrary user ID
- Complete authentication bypass — attacker sets any `sub` claim value
- No indicators in logs that the server is operating insecurely
- Easily triggered accidentally via environment variable injection
in containerized deployments (e.g. misconfigured Kubernetes secrets)
- Affects all connection types: WebSocket, HTTP-streaming, SSE, GRPC
### Suggested Fix
1. Emit a loud startup warning when flag is enabled:
```go
if cfg.Client.InsecureSkipTokenSignatureVerify {
log.Warn().Msg("SECURITY WARNING: JWT signature verification is " +
"DISABLED via insecure_skip_token_signature_verify - " +
"DO NOT use in production!")
}
```
2. Consider requiring an additional explicit `insecure_mode: true` flag to prevent accidental single-flag misconfiguration
3. Log a warning on every accepted token when skip is active
Vulnerability type
CWE-285
Improper Authorization
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026