Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by dapr
CVE-2026-41491 (GCVE-0-2026-41491)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-08 13:58
VLAI?
Title
Dapr: Service Invocation path traversal ACL bypass
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41491",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T13:58:49.341365Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:58:57.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dapr",
"vendor": "dapr",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 1.15.14"
},
{
"status": "affected",
"version": "\u003e= 1.16.0-rc.1, \u003c 1.16.14"
},
{
"status": "affected",
"version": "\u003e= 1.17.0-rc.1, \u003c 1.17.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T13:11:13.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463"
},
{
"name": "https://github.com/dapr/dapr/pull/9589",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/pull/9589"
}
],
"source": {
"advisory": "GHSA-85gx-3qv6-4463",
"discovery": "UNKNOWN"
},
"title": "Dapr: Service Invocation path traversal ACL bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41491",
"datePublished": "2026-05-08T13:11:13.128Z",
"dateReserved": "2026-04-20T16:14:19.008Z",
"dateUpdated": "2026-05-08T13:58:57.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35223 (GCVE-0-2024-35223)
Vulnerability from cvelistv5 – Published: 2024-05-23 08:47 – Updated: 2024-08-02 03:07
VLAI?
Title
Dapr API Token Exposure
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "dapr",
"vendor": "dapr",
"versions": [
{
"lessThanOrEqual": "1.13.3",
"status": "affected",
"version": "1.11.2",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:26:00.242110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:34:03.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.803Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"
},
{
"name": "https://github.com/dapr/dapr/issues/7344",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/issues/7344"
},
{
"name": "https://github.com/dapr/dapr/pull/7404",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/pull/7404"
},
{
"name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"
},
{
"name": "https://github.com/dapr/dapr/releases/tag/v1.13.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dapr",
"vendor": "dapr",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.0, \u003c 1.13.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the Dapr App API token functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. This vulnerability was patched in version 1.13.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-23T08:47:40.289Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dapr/dapr/security/advisories/GHSA-284c-x8m7-9w5h"
},
{
"name": "https://github.com/dapr/dapr/issues/7344",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/issues/7344"
},
{
"name": "https://github.com/dapr/dapr/pull/7404",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/pull/7404"
},
{
"name": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/commit/e0591e43d0cdfd30a2f2960dce5d9892dc98bc2c"
},
{
"name": "https://github.com/dapr/dapr/releases/tag/v1.13.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/releases/tag/v1.13.3"
}
],
"source": {
"advisory": "GHSA-284c-x8m7-9w5h",
"discovery": "UNKNOWN"
},
"title": "Dapr API Token Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35223",
"datePublished": "2024-05-23T08:47:40.289Z",
"dateReserved": "2024-05-14T15:39:41.784Z",
"dateUpdated": "2024-08-02T03:07:46.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37918 (GCVE-0-2023-37918)
Vulnerability from cvelistv5 – Published: 2023-07-21 20:08 – Updated: 2024-10-10 18:40
VLAI?
Title
API token authentication bypass in HTTP endpoints in Dapr
Summary
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.
Severity ?
6.8 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj"
},
{
"name": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a"
},
{
"name": "https://docs.dapr.io/operations/security/api-token/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.dapr.io/operations/security/api-token/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dapr:dapr:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "dapr",
"vendor": "dapr",
"versions": [
{
"lessThan": "1.11.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37918",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T18:20:55.913377Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T18:40:09.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dapr",
"vendor": "dapr",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 or to 1.11.2. This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. The issue has been fixed in Dapr 1.10.9 or to 1.11.2. There are no known workarounds for this vulnerability.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-21T20:08:00.768Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dapr/dapr/security/advisories/GHSA-59m6-82qm-vqgj"
},
{
"name": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dapr/dapr/commit/83ca1abb11ffe34211db55dcd36d96b94252827a"
},
{
"name": "https://docs.dapr.io/operations/security/api-token/",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.dapr.io/operations/security/api-token/"
}
],
"source": {
"advisory": "GHSA-59m6-82qm-vqgj",
"discovery": "UNKNOWN"
},
"title": "API token authentication bypass in HTTP endpoints in Dapr"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37918",
"datePublished": "2023-07-21T20:08:00.768Z",
"dateReserved": "2023-07-10T17:51:29.612Z",
"dateUpdated": "2024-10-10T18:40:09.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}