CVE-2026-41491

Name of the Vulnerable Software and Affected Versions Dapr versions 1.3.0 through 1.15.13 Dapr versions 1.16.0-rc.1 through 1.16.13 Dapr versions 1.17.0-rc.1 through 1.17.4

Description An issue exists in the way access control policies for service invocation are handled. The Access Control List (ACL) and the dispatch layer normalized method paths independently, allowing a mismatch where the ACL evaluates one path while the target application receives another. This discrepancy enables the bypass of access control policies using reserved URL characters and path traversal sequences in method paths. For instance, an attacker could use encoded path traversal (e.g., admin%2F..%2Fpublic) to reach an allowed path when the method started with a denied prefix, or use encoded fragment (%23) or query (%3F) characters to manipulate path evaluation. The gRPC API is a more significant vector as it passes method strings raw, delivering characters like #, ?, and ../ literally without client-side sanitization.

Recommendations Update to version 1.15.14 for versions in the 1.3.0 through 1.15.13 range. Update to version 1.16.14 for versions in the 1.16.0-rc.1 through 1.16.13 range. Update to version 1.17.5 for versions in the 1.17.0-rc.1 through 1.17.4 range.