CVE Catalog

CVE-2026-59096

HighCVSS 7.5
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

A vulnerability in Dapr Sentry allows a remote unauthenticated attacker to poison the OIDC discovery document via an unvalidated X-Forwarded-Host header. The attacker can cause relying parties to fetch JWKS from an attacker-controlled server, leading to acceptance of attacker-signed JWTs.

Risk Assessment

The organization is at risk of OIDC authentication compromise, potentially leading to unauthorized access and privilege escalation within the Dapr environment.

Recommendation

Configure the jwt-issuer or oidc-allowed-hosts parameter in Dapr Sentry to restrict trusted hosts. Additionally, disable dynamic OIDC discovery or use pinned certificates.

Original NVD description (English source)

Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS