Dapr
v1.17.3Orchestration & ManagementDapr v1.17.3 patches two CVEs (gRPC auth bypass, TIFF OOM DoS) and fixes several high-impact runtime bugs including actor response data loss over h2c, a cascading placement failure, and a scheduler silent-stop bug.
securityUpgrade immediately for two active CVEs
CVE-2026-33186 allows gRPC authorization bypass — unauthorized requests could reach your services. CVE-2026-33809 allows a malicious 8-byte TIFF file to trigger ~4GB memory allocation and OOM-crash a sidecar. Both are fixed only in v1.17.3. There is no workaround short of upgrading. Treat this as an urgent patch, especially if your Dapr components process any image data or expose gRPC endpoints to untrusted callers.
breakingActor + h2c users were silently losing response data — verify your setup
If you run actors with --app-protocol h2c, every actor method invocation since v1.17.2 could have returned HTTP 200 with an empty body. Your app received no error, just missing data. After upgrading to v1.17.3, audit any actor calls that might have been silently failing and verify response payloads are intact. If you log or cache actor responses, replay or revalidate any data collected since upgrading to v1.17.2.
enhancementHA Scheduler deployments: restart pods after upgrade to clear stale leadership state
The scheduler silent-stop bug left stale etcd leadership keys that block quorum convergence. After upgrading, do a coordinated restart of all Scheduler pods to force a clean leadership election. Going forward, workflow timers, scheduled jobs, and actor reminders should be reliable after rolling updates. If you previously saw reminders or jobs randomly stop firing after a Scheduler pod restart, this is the fix.
Key changes (7)
- CVE-2026-33186: gRPC authorization bypass fixed via upstream dependency upgrade
- CVE-2026-33809: TIFF image OOM denial-of-service fixed by upgrading golang.org/x/image to v0.38.0
- Actor method calls over h2c (HTTP/2 cleartext) silently returned empty bodies — fixed with context detachment and pipe error propagation
- Stale Content-Length header forwarding caused unexpected EOF errors in service invocation and actor responses — now stripped correctly
- Placement dissemination timeout cascaded to all replicas on a single slow sidecar — fixed with selective timeout and phase-advancement logic
- Scheduler instances could silently stop participating after scale-up due to a blocking channel race — replaced with non-blocking event loop
- Windows daprd on AKS broken since v1.16.9 due to missing OSVersion in image manifest — reverted to docker manifest toolchain