Back to overview

CVE-2026-59096

HIGH
7.5
CVSS 3.1
Description
Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.

Metadata

CVE ID
CVE-2026-59096
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-02 15:38 UTC
Published
2026-07-02 19:41 UTC
Last updated
2026-07-02 19:41 UTC
Primary CWE
CWE-346
Origin Validation Error
Vendor / Product
dapr / dapr
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
dapr dapr 1.17.0, 1.18.0
Weakness (CWE)
CWESourceDescription
CWE-346 cna Origin Validation Error
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Back to overview