Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.
History

Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation dapr
CPEs cpe:2.3:a:linuxfoundation:dapr:1.17.0:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:dapr:1.18.0:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation dapr

Mon, 06 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Dapr
Dapr dapr
Vendors & Products Dapr
Dapr dapr

Thu, 02 Jul 2026 20:15:00 +0000

Type Values Removed Values Added
Description Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.
Title Dapr - OIDC Discovery Issuer and JWKS URI Injection via Unvalidated X-Forwarded-Host
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-02T19:41:40.984Z

Updated: 2026-07-14T22:03:23.087Z

Reserved: 2026-07-02T15:38:18.928Z

Link: CVE-2026-59096

cve-icon Vulnrichment

Updated: 2026-07-06T13:31:22.771Z

cve-icon NVD

No data.

cve-icon Redhat

No data.