Skip to main content

Dapr CVE-2026-41491

| EUVDEUVD-2026-28553 HIGH
Path Traversal (CWE-22)
2026-05-08 GitHub_M GHSA-85gx-3qv6-4463
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 14:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 14:01 vuln.today
Analysis Generated
May 08, 2026 - 14:01 vuln.today
CVE Published
May 08, 2026 - 13:11 nvd
HIGH 8.1

DescriptionGitHub Advisory

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.

AnalysisAI

Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. The gRPC API is more dangerous as it passes method strings raw without client-side sanitization. Vendor-released patches are available in versions 1.15.14, 1.16.14, and 1.17.5 (GitHub PR #9589). No public exploit code or CISA KEV listing identified at time of analysis.

Technical ContextAI

Dapr is a distributed application runtime providing service invocation, state management, and pub/sub capabilities for cloud and edge environments. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in the service invocation ACL mechanism. Dapr's ACL layer used purell.NormalizeURLString to normalize method paths before policy evaluation, which decoded percent-encoded sequences, resolved path traversal (../), and stripped URL fragment (#) and query (?) delimiters. However, the HTTP dispatch layer used raw method strings without equivalent normalization, creating a semantic gap. The gRPC API exacerbated the issue by passing method strings literally with no client-side sanitization of reserved characters. This inconsistency meant ACL policy evaluated a sanitized path (e.g., 'public') while the target application received the raw encoded path (e.g., 'admin/../public'), effectively bypassing access control. The fix (PR #9589) standardized URL construction using Go's net/url.Parse, setting RawPath and EscapedPath() to preserve reserved characters and prevent reinterpretation of

as fragment or ? as query syntax.

RemediationAI

Upgrade Dapr immediately to patched version 1.15.14 (if running 1.3.0-1.15.13), 1.16.14 (if running 1.16.x), or 1.17.5 (if running 1.17.x). Patch details are in GitHub PR #9589 (https://github.com/dapr/dapr/pull/9589) and vendor advisory GHSA-85gx-3qv6-4463 (https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463). If immediate patching is not possible, implement compensating controls: (1) Restrict network access to Dapr HTTP and gRPC APIs to trusted clients only using network policies or firewall rules-this reduces attacker surface but limits microservice flexibility; (2) Review and tighten service invocation ACL policies to use explicit allow-lists with no deny-prefix-only rules-however, this does not fully mitigate the normalization mismatch; (3) Deploy a reverse proxy or API gateway in front of Dapr sidecars to normalize and validate method paths before they reach Dapr-this adds latency and operational complexity. None of these workarounds are substitutes for patching, as the root cause normalization mismatch persists.

Share

CVE-2026-41491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy