Home / Vulnerability Intelligence / CVE-2026-41491

CVE-2026-41491 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 8, 2026

Dapr - Access Control Bypass

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

Dapr 1.3.0 to <1.15.14, 1.16.0-rc.1 to <1.16.14, and 1.17.0-rc.1 to <1.17.5 contain an access control bypass caused by inconsistent normalization of method paths using reserved URL characters and path traversal sequences, letting attackers bypass service invocation ACLs, exploit requires crafted method paths.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can bypass access control policies, potentially invoking unauthorized services and accessing restricted functionality.

Mitigation

Update to versions 1.15.14, 1.16.14, or 1.17.5 or later.

References

https://github.com/dapr/dapr/pull/9589
https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41491
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: unconfirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N