Dapr: Service Invocation path traversal ACL bypass — CVE-2026-41491
GitHub · GitHub · CVE-2026-41491
ID
CVE-2026-41491
CVE-2026-41491
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.1
8.1
EPSS
0.00029
0.00029
Summary
### Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. Users who have configured access control policies for service…
Product
go: github.com/dapr/dapr
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.