CVE-2026-59096
Received Received - Intake

Dapr Sentry OIDC Discovery Cache Poisoning

Vulnerability report for CVE-2026-59096, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
dapr dapr to 1.17.0 (exc)
dapr dapr to 1.18.0 (exc)
dapr dapr 1.17.8
dapr dapr *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59096 is a security vulnerability in Dapr's Sentry component related to OpenID Connect (OIDC) discovery. The vulnerability occurs because the OIDC discovery endpoint derives the issuer and jwks_uri fields from the request's Host header or the X-Forwarded-Host header without proper validation when no allowed-hosts list is configured (which is the default).

An attacker can exploit this by sending a request with a spoofed X-Forwarded-Host header to poison the /.well-known/openid-configuration document. This causes relying parties that perform dynamic OIDC discovery without pinning the issuer to fetch JSON Web Key Sets (JWKS) from an attacker-controlled server, potentially accepting attacker-signed JWTs.

The vulnerability requires that the OIDC server is enabled without a configured jwt-issuer or oidc-allowed-hosts, and it arises because the system honors the X-Forwarded-Host header unconditionally by default.

Impact Analysis

This vulnerability can allow a remote unauthenticated attacker to poison the OIDC discovery document, causing relying parties to fetch JWKS from an attacker-controlled server.

As a result, attacker-signed JWTs could be accepted by systems relying on the compromised OIDC discovery, potentially leading to unauthorized access or impersonation.

This can compromise the integrity of authentication and authorization processes in applications using Dapr's Sentry component for OIDC.

Detection Guidance

Detection involves checking if the Dapr Sentry OIDC discovery endpoint is accessible and whether it improperly honors the X-Forwarded-Host header without validation.

You can test the /.well-known/openid-configuration endpoint by sending HTTP requests with a spoofed X-Forwarded-Host header and observing if the issuer and jwks_uri fields in the response reflect the spoofed header.

Example curl command to test the vulnerability:

  • curl -H "X-Forwarded-Host: attacker.com" http://<dapr-sentry-host>/.well-known/openid-configuration

If the issuer or jwks_uri in the response contains the attacker.com domain, the system is vulnerable.

Additionally, verify if the --oidc-allowed-hosts flag is configured; absence of this flag or an empty allowlist indicates vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, configure the --oidc-allowed-hosts flag with a non-empty allowlist of trusted hostnames.

This ensures that the X-Forwarded-Host header is only honored when it matches an allowed host, preventing attacker-controlled injection.

Alternatively, explicitly set the --jwt-issuer flag to a fixed issuer value to avoid dynamic issuer derivation.

If you rely on reverse proxies forwarding the X-Forwarded-Host header, ensure that the proxies and Dapr configuration align with the allowlist to maintain functionality securely.

Also, upgrade Dapr to version 1.17.8 or later where this fix is implemented.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart