Vulnerability Description
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Dapr | >= 1.3.0, < 1.15.14 |
Related Weaknesses (CWE)
References
- https://github.com/dapr/dapr/pull/9589Issue TrackingPatch
- https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463Vendor Advisory
FAQ
What is CVE-2026-41491?
CVE-2026-41491 is a vulnerability with a CVSS score of 8.1 (HIGH). Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1...
How severe is CVE-2026-41491?
CVE-2026-41491 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41491?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Dapr.