Description
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
Published: 2026-05-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Dapr’s service invocation logic allows an attacker to craft method paths that include reserved URL characters and path traversal sequences, causing the ACL system to evaluate a normalized path that differs from the one received by the target application. This mismatch enables the attacker to bypass configured access control policies and invoke services that should be forbidden, compromising the confidentiality and integrity of those services. The weakness maps to path traversal (CWE‑22) and access control failure (CWE‑284).

Affected Systems

The vulnerability affects any Dapr deployment using a version between 1.3.0 and before 1.15.14, between 1.16.0‑rc.1 and before 1.16.14, or between 1.17.0‑rc.1 and before 1.17.5. The issue has been fixed in Dapr releases 1.15.14, 1.16.14, and 1.17.5, so deployments using those or newer versions are not impacted.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity. EPSS information is currently unavailable, so the probability of exploitation cannot be quantified, but the flaw is not listed in the CISA KEV catalog. The likely attack vector is external; any actor capable of sending a crafted service invocation request to a Dapr-enabled service can exploit the path traversal to bypass ACL controls, potentially exposing protected services and data.

Generated by OpenCVE AI on May 8, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dapr to a patched release (1.15.14, 1.16.14, or 1.17.5) or later.
  • Validate that ACL evaluations and target service method paths are identical by inspecting the normalized path handling logic.
  • Enable detailed logging for service invocation requests and monitor for anomalous path patterns or unauthorized access attempts.

Generated by OpenCVE AI on May 8, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-85gx-3qv6-4463 Dapr: Service Invocation path traversal ACL bypass
History

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Dapr
Dapr dapr
Vendors & Products Dapr
Dapr dapr

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
Title Dapr: Service Invocation path traversal ACL bypass
Weaknesses CWE-22
CWE-284
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Dapr Dapr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T13:58:57.832Z

Reserved: 2026-04-20T16:14:19.008Z

Link: CVE-2026-41491

cve-icon Vulnrichment

Updated: 2026-05-08T13:58:54.199Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:33.407

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:00:14Z

Weaknesses