CVE-2026-41491HIGH 8.1EPSS p23.4%

CVE-2026-41491CVE-2026-41491

Description

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.32% probability of exploitation · percentile 23.4% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-12

Underlying weaknesses· 2

CWE-22CWE-284

References

  1. https://github.com/dapr/dapr/pull/9589
  2. https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41490
CVE
CVE-2026-41394
CVE
CVE-2026-23899
CVE
CVE-2026-44574
CVE
CVE-2026-39852
CVE
CVE-2026-41964
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.