Dapr: Service Invocation path traversal ACL bypass

Description

Summary

A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one.

Users who have configured access control policies for service invocation are strongly encouraged to upgrade Dapr to the respective patch version 1.17.5, 1.16.14, and 1.15.14.

Impact

This vulnerability impacts Dapr users who have configured access control policies for service invocation. An attacker who can reach the Dapr HTTP or gRPC API could:

  • Use encoded path traversal (ex: admin%2F..%2Fpublic) to reach an allowed path while the method started from a denied prefix.
  • Use encoded fragment (%23) or query (%3F) characters to cause the ACL to evaluate a different path than what was delivered to the target application.

Patches

Users should upgrade immediately to their respective Dapr version 1.17.5, 1.16.14, and 1.15.14.

Details

Dapr supports access control policies for service invocation, which allow operators to restrict which methods an application is permitted to call on a target app. When a request arrives, Dapr evaluates the method path against the configured policy before dispatching to the target.

Prior to this fix, the ACL and the dispatch layer normalized the method path independently. The ACL used purell.NormalizeURLString, which decoded %XX sequences, resolved ../, and stripped # and ? as URL delimiters. The dispatch layer used the raw method string. This mismatch meant the ACL authorized one path while the target application received a different one.

For example, a method of admin%2F..%2Fpublic was normalized by the ACL to public (allowed), but the target application received admin/../public.

The gRPC API was the more dangerous vector because gRPC passes method strings raw — #, ?, ../, and control characters were all delivered literally with no client-side sanitization.

References

This PR signaled to us about the CVE, special thanks to @dbconfession78 for the efforts here and the original PR.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-17 22:20:40 UTC
Updated
2026-05-12 13:31:36 UTC
GitHub reviewed
2026-04-17 22:20:40 UTC
NVD published
2026-05-08

EPSS Score

Score Percentile
0.03% 10.62%

CVSS Scores

Base score Version Severity Vector
8.1 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-284 Improper Access Control

Credits

  • JoshVanL (remediation_developer)
  • cicoyle (coordinator)
  • acroca (remediation_reviewer)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/dapr/dapr >= 1.17.0-rc.1, < 1.17.5 1.17.5
go github.com/dapr/dapr >= 1.16.0-rc.1, < 1.16.14 1.16.14
go github.com/dapr/dapr >= 1.3.0, < 1.15.14 1.15.14

References

cvelogic Threat Intelligence