Skip to main content

Dapr

3 CVEs product

Monthly

CVE-2026-59096 HIGH This Week

Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. Reported by VulnCheck (CVSS 4.0 8.2); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Dapr
NVD GitHub
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-41491 Go HIGH PATCH GHSA This Week

Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.

Path Traversal Dapr
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2023-37918 Go HIGH POC PATCH This Week

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Dapr
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
EPSS 0% CVSS 8.2
HIGH This Week

Authentication bypass via OIDC discovery poisoning in Dapr Sentry allows a remote unauthenticated attacker to inject an attacker-controlled issuer and jwks_uri into the /.well-known/openid-configuration document by supplying a crafted X-Forwarded-Host header. Because the endpoint honors that header without validation when no allowed-hosts list is set (the default) and caches the response publicly for one hour, relying parties that perform dynamic, unpinned OIDC discovery will fetch keys from an attacker's server and accept attacker-signed JWTs - effectively forging trusted identities. Reported by VulnCheck (CVSS 4.0 8.2); no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Dapr
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.

Path Traversal Dapr
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Dapr
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy