CVE-2026-41491

HIGH NVD

CVSS Score 8.1

Severity HIGH

Published May 08, 2026

Vendor unknown

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.

References

https://github.com/dapr/dapr/pull/9589
https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463