Skip to main content

Dapr CVE-2026-59096

| EUVDEUVD-2026-41427 HIGH
Origin Validation Error (CWE-346)
2026-07-02 VulnCheck GHSA-q8cr-74p8-486p
8.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network, unauthenticated, no UI; AC:H reflects the required unpinned-discovery precondition; S:C because forged auth impacts downstream relying parties; integrity-only (I:H), no confidentiality or availability loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 20:33 vuln.today
CVSS changed
Jul 02, 2026 - 20:22 NVD
7.5 (HIGH) 8.2 (HIGH)

DescriptionCVE.org

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.

AnalysisAI

Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Sentry OIDC discovery endpoint
Delivery
Send request with forged X-Forwarded-Host
Exploit
Poison cached openid-configuration issuer/jwks_uri
Execution
Relying party fetches attacker JWKS
Persist
Attacker-signed JWT accepted
Impact
Impersonate trusted identity

Vulnerability AssessmentAI

Exploitation Exploitation requires that Sentry's OIDC server is enabled but running in its default state with NO jwt-issuer configured and NO oidc-allowed-hosts allowlist set - under that configuration the discovery endpoint blindly reflects the attacker-supplied X-Forwarded-Host into the issuer and jwks_uri fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N) captures the shape well: network-reachable, no privileges, no user interaction, but with an Attack Requirement (AT:P) - exploitation only bites when relying parties perform dynamic, unpinned discovery, which is the AT:P condition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an unauthenticated HTTP request to Sentry's OIDC discovery endpoint with X-Forwarded-Host set to a server they control, causing the cached /.well-known/openid-configuration to advertise an attacker-hosted jwks_uri. A relying party that performs unpinned discovery then fetches the attacker's JWKS and accepts JWTs signed by the attacker's key, letting the attacker impersonate a trusted identity. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes from dapr/dapr pull requests https://github.com/dapr/dapr/pull/10027, https://github.com/dapr/dapr/pull/10028 and https://github.com/dapr/dapr/pull/10029 by upgrading to the Dapr release that incorporates them once identified. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Dapr Sentry deployments in production; audit OIDC configuration to determine if dynamic discovery is in use; document which services depend on Dapr Sentry for authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy