CVE-2026-41491

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

EUVD-2026-28553

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

CVE-2026-41491 Dapr: Service Invocation path traversal ACL bypass

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

CVE-2026-41491

CVE-2026‑41491 affects Dapr. An ACL bypass vulnerability in service invocation lets an attacker exploit reserved URL characters and path traversal sequences in method paths, causing the access control policy to be evaluated against a different path than what the target application receives. The m...

CVE-2026-41491 Dapr: Service Invocation path traversal ACL bypass

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...

Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

GHSA-85GX-3QV6-4463 Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

PT-2026-37119

Name of the Vulnerable Software and Affected Versions Dapr versions 1.3.0 through 1.15.13 Dapr versions 1.16.0-rc.1 through 1.16.13 Dapr versions 1.17.0-rc.1 through 1.17.4 Description An issue exists in the way access control policies for service invocation are handled. The Access Control List A...

EUVD-2025-202391

Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation...

CVE-2025-9056

Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation...

PT-2025-50303

Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation...

EUVD-2024-27200

Malicious code in bioql PyPI...

CVE-2024-35223 Dapr API Token Exposure

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. Dapr sends the app token of the invoker app instead of the app token of the invoked app. This causes of a leak of the application token of the invoker app to the invoked app when using Dapr as a...

Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

GHSA-284C-X8M7-9W5H Dapr API Token Exposure

Summary A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the...

CVE-2024-2244

REST service authentication anomaly with “valid username/no password” credential combination for batch job processing resulting in successful service invocation. The anomaly doesn’t exist with other credential combinations...

GHSA-59M6-82QM-VQGJ Dapr API token authentication bypass in HTTP endpoints

Summary A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10....

Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885)

Summary A vulnerability in IBM Business Space can allow an attacker to cause an external service invocation. Vulnerability Details CVEID: CVE-2018-1885 DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to obtain sensitve information using a specially cracted HTTP request. CV...