CVE-2026-42275
HIGHzrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
Title source: cnaDescription
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h
X_Refsource_Misc x_refsource_misc
https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e
X_Refsource_Misc x_refsource_misc
https://github.com/openziti/zrok/releases/tag/v2.0.2
Scores
CVSS v3
8.7
EPSS
0.0033
EPSS Percentile
24.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-61
Status
published
Products (4)
netfoundry/zrok
< 2.0.2
openziti/zrok
0 - 1.1.11Go
openziti/zrok
0 - 2.0.2Go
openziti/zrok
< 2.0.2
Published
May 08, 2026
Tracked Since
May 08, 2026