Vulnerability-Lookup

CVE-2026-41491 (GCVE-0-2026-41491)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:11 – Updated: 2026-05-08 13:58

Title

Dapr: Service Invocation path traversal ACL bypass

Summary

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-284 - Improper Access Control

Assigner

GitHub_M

References

URL

Tags

	https://github.com/dapr/dapr/security/advisories/…	x_refsource_CONFIRM
	https://github.com/dapr/dapr/pull/9589	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	dapr	dapr	Affected: >= 1.3.0, < 1.15.14 Affected: >= 1.16.0-rc.1, < 1.16.14 Affected: >= 1.17.0-rc.1, < 1.17.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41491",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T13:58:49.341365Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T13:58:57.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dapr",
          "vendor": "dapr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.3.0, \u003c 1.15.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.16.0-rc.1, \u003c 1.16.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.17.0-rc.1, \u003c 1.17.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:11:13.128Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463"
        },
        {
          "name": "https://github.com/dapr/dapr/pull/9589",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dapr/dapr/pull/9589"
        }
      ],
      "source": {
        "advisory": "GHSA-85gx-3qv6-4463",
        "discovery": "UNKNOWN"
      },
      "title": "Dapr: Service Invocation path traversal ACL bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41491",
    "datePublished": "2026-05-08T13:11:13.128Z",
    "dateReserved": "2026-04-20T16:14:19.008Z",
    "dateUpdated": "2026-05-08T13:58:57.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41491",
      "date": "2026-05-09",
      "epss": "0.00029",
      "percentile": "0.08378"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41491\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T14:16:33.407\",\"lastModified\":\"2026-05-08T16:08:15.570\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://github.com/dapr/dapr/pull/9589\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41491\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-08T13:58:49.341365Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-08T13:58:54.199Z\"}}], \"cna\": {\"title\": \"Dapr: Service Invocation path traversal ACL bypass\", \"source\": {\"advisory\": \"GHSA-85gx-3qv6-4463\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dapr\", \"product\": \"dapr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.3.0, \u003c 1.15.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.16.0-rc.1, \u003c 1.16.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.17.0-rc.1, \u003c 1.17.5\"}]}], \"references\": [{\"url\": \"https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463\", \"name\": \"https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dapr/dapr/pull/9589\", \"name\": \"https://github.com/dapr/dapr/pull/9589\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-08T13:11:13.128Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41491\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-08T13:58:57.832Z\", \"dateReserved\": \"2026-04-20T16:14:19.008Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-08T13:11:13.128Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-85GX-3QV6-4463

Vulnerability from github – Published: 2026-04-17 22:20 – Updated: 2026-04-27 16:34

Summary

Dapr: Service Invocation path traversal ACL bypass

Details

Summary

A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one.

Users who have configured access control policies for service invocation are strongly encouraged to upgrade Dapr to the respective patch version 1.17.5, 1.16.14, and 1.15.14.

Impact

This vulnerability impacts Dapr users who have configured access control policies for service invocation. An attacker who can reach the Dapr HTTP or gRPC API could:

Use encoded path traversal (ex: admin%2F..%2Fpublic) to reach an allowed path while the method started from a denied prefix.
Use encoded fragment (%23) or query (%3F) characters to cause the ACL to evaluate a different path than what was delivered to the target application.

Patches

Users should upgrade immediately to their respective Dapr version 1.17.5, 1.16.14, and 1.15.14.

Details

Dapr supports access control policies for service invocation, which allow operators to restrict which methods an application is permitted to call on a target app. When a request arrives, Dapr evaluates the method path against the configured policy before dispatching to the target.

Prior to this fix, the ACL and the dispatch layer normalized the method path independently. The ACL used purell.NormalizeURLString, which decoded %XX sequences, resolved ../, and stripped # and ? as URL delimiters. The dispatch layer used the raw method string. This mismatch meant the ACL authorized one path while the target application received a different one.

For example, a method of admin%2F..%2Fpublic was normalized by the ACL to public (allowed), but the target application received admin/../public.

The gRPC API was the more dangerous vector because gRPC passes method strings raw — #, ?, ../, and control characters were all delivered literally with no client-side sanitization.

References

This PR signaled to us about the CVE, special thanks to @dbconfession78 for the efforts here and the original PR.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dapr/dapr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0-rc.1"
            },
            {
              "fixed": "1.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dapr/dapr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.16.0-rc.1"
            },
            {
              "fixed": "1.16.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dapr/dapr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.15.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-17T22:20:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one.\n\nUsers who have configured access control policies for service invocation are strongly encouraged to upgrade Dapr to the respective patch version `1.17.5`, `1.16.14`, and `1.15.14`.\n\n### Impact\n\nThis vulnerability impacts Dapr users who have configured access control policies for service invocation. An attacker who can reach the Dapr HTTP or gRPC API could:\n\n- Use encoded path traversal (ex: `admin%2F..%2Fpublic`) to reach an allowed path while the method started from a denied prefix.\n- Use encoded fragment (`%23`) or query (`%3F`) characters to cause the ACL to evaluate a different path than what was delivered to the target application.\n\n### Patches\n\nUsers should upgrade immediately to their respective Dapr version `1.17.5`, `1.16.14`, and `1.15.14`.\n\n### Details\n\nDapr supports access control policies for service invocation, which allow operators to restrict which methods an application is permitted to call on a target app. When a request arrives, Dapr evaluates the method path against the configured policy before dispatching to the target.\n\nPrior to this fix, the ACL and the dispatch layer normalized the method path independently. The ACL used `purell.NormalizeURLString`, which decoded `%XX` sequences, resolved `../`, and stripped `#` and `?` as URL delimiters. The dispatch layer used the raw method string. This mismatch meant the ACL authorized one path while the target application received a different one.\n\nFor example, a method of `admin%2F..%2Fpublic` was normalized by the ACL to public (allowed), but the target application received `admin/../public`. \n\nThe gRPC API was the more dangerous vector because gRPC passes method strings raw \u2014 `#`, `?`, `../`, and control characters were all delivered literally with no client-side sanitization.\n\n### References\n\n[This PR](https://github.com/dapr/dapr/pull/9589) signaled to us about the CVE, special thanks to @dbconfession78 for the efforts here and the original PR.",
  "id": "GHSA-85gx-3qv6-4463",
  "modified": "2026-04-27T16:34:02Z",
  "published": "2026-04-17T22:20:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dapr/dapr/pull/9589"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dapr/dapr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dapr: Service Invocation path traversal ACL bypass"
}

FKIE_CVE-2026-41491

Vulnerability from fkie_nvd - Published: 2026-05-08 14:16 - Updated: 2026-05-08 16:08

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/dapr/dapr/pull/9589
	security-advisories@github.com	https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5."
    }
  ],
  "id": "CVE-2026-41491",
  "lastModified": "2026-05-08T16:08:15.570",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T14:16:33.407",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dapr/dapr/pull/9589"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41491 (GCVE-0-2026-41491)

GHSA-85GX-3QV6-4463

Summary

Impact

Patches

Details

References

FKIE_CVE-2026-41491

Tags

Sightings

Nomenclature