EUVD-2026-28553
GHSA-85gx-3qv6-4463
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionNVD
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
AnalysisAI
Path traversal in Dapr runtime versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, and 1.17.0-rc.1-1.17.4 allows authenticated attackers to bypass service invocation access control policies by exploiting URL encoding mismatches between ACL evaluation and request dispatch layers. Attackers can use encoded path traversal sequences (e.g., admin%2F..%2Fpublic) or reserved URL characters (%23 for fragment, %3F for query) to authorize one path while delivering a different path to the target application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all Dapr runtime instances in production and non-production environments using versions 1.3.0-1.15.13, 1.16.0-rc.1-1.16.13, or 1.17.0-rc.1-1.17.4; document current versions and dependent applications. Within 7 days: Upgrade to patched versions (1.15.14, 1.16.14, or 1.17.5) following vendor release notes and testing in staging environments; prioritize gRPC-enabled Dapr instances as higher risk. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today