Dapr: Service Invocation path traversal ACL bypass_CVE-2026-41491

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.

Basic Information

ID CVE-2026-41491

Source GitHub_M

Published May 8, 2026 at 13:11

Affected Product

Vendor dapr

Product dapr

Version >= 1.3.0, < 1.15.14

Affected Versions dapr dapr >= 1.3.0, < 1.15.14
dapr dapr >= 1.16.0-rc.1, < 1.16.14
dapr dapr >= 1.17.0-rc.1, < 1.17.5

CWE Classification

CWE-22 CWE-284

References

{
    "lastseen": "",
    "description": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.",
    "published": "2026-05-08T13:11:13.128Z",
    "modified": "2026-05-08T13:11:13.128Z",
    "type": "cve",
    "title": "Dapr: Service Invocation path traversal ACL bypass",
    "source": "GitHub_M",
    "references": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463\nhttps://github.com/dapr/dapr/pull/9589",
    "id": "CVE-2026-41491",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "dapr dapr >= 1.3.0, < 1.15.14\ndapr dapr >= 1.16.0-rc.1, < 1.16.14\ndapr dapr >= 1.17.0-rc.1, < 1.17.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "dapr",
    "version": ">= 1.3.0, < 1.15.14",
    "vendor": "dapr",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}