Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network, unauthenticated, no UI; AC:H reflects the required unpinned-discovery precondition; S:C because forged auth impacts downstream relying parties; integrity-only (I:H), no confidentiality or availability loss.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.
AnalysisAI
Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Sentry's OIDC server is enabled but running in its default state with NO jwt-issuer configured and NO oidc-allowed-hosts allowlist set - under that configuration the discovery endpoint blindly reflects the attacker-supplied X-Forwarded-Host into the issuer and jwks_uri fields. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N) captures the shape well: network-reachable, no privileges, no user interaction, but with an Attack Requirement (AT:P) - exploitation only bites when relying parties perform dynamic, unpinned discovery, which is the AT:P condition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an unauthenticated HTTP request to Sentry's OIDC discovery endpoint with X-Forwarded-Host set to a server they control, causing the cached /.well-known/openid-configuration to advertise an attacker-hosted jwks_uri. A relying party that performs unpinned discovery then fetches the attacker's JWKS and accepts JWTs signed by the attacker's key, letting the attacker impersonate a trusted identity. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes from dapr/dapr pull requests https://github.com/dapr/dapr/pull/10027, https://github.com/dapr/dapr/pull/10028 and https://github.com/dapr/dapr/pull/10029 by upgrading to the Dapr release that incorporates them once identified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Dapr Sentry deployments in production; audit OIDC configuration to determine if dynamic discovery is in use; document which services depend on Dapr Sentry for authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Rated high severi
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41427
GHSA-q8cr-74p8-486p