CVE-2023-37918

MEDIUM

Dapr <1.10.9 and 1.11.0-1.11.2 - API Token Authentication Bypass via Crafted HTTP Request

Title source: llm

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj

Patch x_refsource_misc

https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a

View Patch ZIP pw:eip

Product x_refsource_misc

https://docs.dapr.io/operations/security/api-token/

Scores

CVSS v3 6.8

EPSS 0.0026

EPSS Percentile 49.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (2)

dapr/dapr 1.11.0 - 1.11.2Go

linuxfoundation/dapr < 1.10.9

Published Jul 21, 2023

Tracked Since Feb 18, 2026