### Summary

A vulnerability has been found in Dapr that allows bypassing [API token authentication](https://docs.dapr.io/operations/security/api-token/), which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request.

Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 and 1.11.2.

### Impact

This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing.

### Patches

The issue has been fixed in Dapr 1.10.9 and 1.11.2.

### Details

When API token authentication is enabled, Dapr requires all calls from applications to include the `dapr-api-token` header, with a value matching what’s included in the Dapr’s configuration. In order to allow for healthchecks to work, the `/v1.0/healthz` and `/v1.0/healthz/outbound` HTTP APIs are excluded from the API token authentication check, and are always allowed.

Dapr GET /v1.0/metadata HTTP/1.1
> Host: localhost:3500
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
GET /v1.0/metadata HTTP/1.1
> Host: localhost:3500
> User-Agent: curl/7.74.0
> Accept: */*
> dapr-api-token: mytoken
>
* Mark bundle as not supporting multiuse
GET /v1.0/metadata?foo=/healthz HTTP/1.1
> Host: localhost:3500
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
Read More