CVE-2026-41491
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in Dapr Runtime

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41491
EUVD
EUVD-2026-28553
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
dapr dapr 1.15.14
dapr dapr 1.16.14
dapr dapr 1.17.5
dapr dapr From 1.3.0 (inc) to 1.15.14 (exc)
dapr dapr From 1.16.0-rc.1 (inc) to 1.16.14 (exc)
dapr dapr From 1.17.0-rc.1 (inc) to 1.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows bypassing access control policies in Dapr, potentially enabling unauthorized access to services and sensitive data.

Such unauthorized access can lead to breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to exposure or unauthorized manipulation of protected data.

Users relying on Dapr with access control policies should upgrade to the patched versions to mitigate this risk and maintain compliance.

Executive Summary

CVE-2026-41491 is a vulnerability in Dapr's HTTP service invocation where reserved URL characters and path traversal sequences in method paths are incorrectly handled. The access control layer (ACL) normalizes the method path differently from the dispatch layer, causing the ACL to evaluate one path while the target application receives a different one. This mismatch allows attackers to bypass access control policies by using reserved characters like #, ?, %, and encoded path traversal sequences.

The issue arises because reserved characters were interpreted as URL syntax rather than as part of the path data, leading to truncation or misinterpretation of the method paths. The vulnerability affects versions from 1.3.0 up to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5 of Dapr.

Impact Analysis

This vulnerability can allow attackers to bypass access control policies for service invocation in Dapr, potentially granting unauthorized access to services.

Because the ACL evaluates a different path than the one actually dispatched, attackers can exploit reserved URL characters and path traversal sequences to invoke services they should not have access to.

The impact includes a high severity risk to confidentiality and integrity of the affected system, as unauthorized service invocations can lead to data exposure or manipulation.

Detection Guidance

This vulnerability can be detected by monitoring HTTP service invocation requests to Dapr for usage of reserved URL characters or encoded path traversal sequences in method paths, such as %23 (#), %3F (?), or encoded sequences like admin%2F..%2Fpublic.

You can inspect network traffic or logs for suspicious method invocation paths that include these reserved or encoded characters which may indicate attempts to bypass access control.

Example commands to detect such patterns might include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for suspicious characters in URLs.
  • grep or awk commands on Dapr service logs to find method invocation paths containing %23, %3F, %25, or path traversal sequences like '..'.
  • Example grep command: grep -E '%23|%3F|%2E%2E' /path/to/dapr/logs
Mitigation Strategies

The primary mitigation step is to upgrade Dapr to a patched version where this vulnerability is fixed.

  • Upgrade to Dapr version 1.15.14, 1.16.14, or 1.17.5 or later, as these versions include the fix for this vulnerability.
  • Review and tighten access control policies to ensure they do not rely solely on method path normalization that can be bypassed.
  • Monitor service invocation logs for suspicious method paths containing reserved or encoded characters.

Applying these steps will help prevent attackers from bypassing access control policies via crafted method invocation paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41491. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart