CVE-2026-41491: Dapr: Service Invocation path traversal ACL bypass

April 17, 2026 (updated April 27, 2026)

A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one.

Users who have configured access control policies for service invocation are strongly encouraged to upgrade Dapr to the respective patch version 1.17.5, 1.16.14, and 1.15.14.

References

github.com/advisories/GHSA-85gx-3qv6-4463
github.com/dapr/dapr
github.com/dapr/dapr/pull/9589
github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463
nvd.nist.gov/vuln/detail/CVE-2026-41491

Code Behaviors & Features

Detect and mitigate CVE-2026-41491 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →