CVE-2026-40302 - Vulnerability Details

- zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.

Published: 2026-04-17

Score: 6.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

zrok is a tool for sharing services that, before version 2.0.1, uses Go’s text/template in its proxyUi engine, which performs no HTML escaping. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker‑controlled refreshInterval query parameter directly into an error message when time.ParseDuration fails. That error is rendered without escaping, allowing arbitrary JavaScript to execute in the OAuth server’s origin. This flaw, grounded in CWE‑79 (Cross‑Site Scripting) and CWE‑116 (Improper Encoding), lets an adversary inject code whenever a victim follows a malicious login link and completes the OAuth flow.

Affected Systems

The issue affects any openziti zrok deployment running a release earlier than v2.0.1. Users of those versions should verify their installed version and plan an update to the patched release.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1, indicating moderate severity, and currently has no EPSS score available. It is not listed in CISA’s KEV catalog. The likely attack vector requires a victim to click a crafted OAuth URL; after authentication, the callback page executes the injected script in the context of the OAuth provider’s origin, enabling client‑side compromise of the user’s session.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openziti

zrok

affected

Version	Status	Constraints
`< 2.0.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to openziti zrok v2.0.1 or later.
If an upgrade cannot be performed immediately, block or escape any refreshInterval query parameter in the callback URL to prevent unescaped rendering.
Replace the use of text/template with a safe alternative such as html/template for all user‑supplied content to ensure proper HTML escaping.

Generated by OpenCVE AI on April 18, 2026 at 08:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4fxq-2x3x-6xqx	zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openziti/zrok/releases/tag/v2.0.1
https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx

History

Fri, 17 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.
Title		zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Weaknesses		CWE-116 CWE-79
References		https://github.com/openziti/zrok/releases/tag/v2.0.1 https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T20:56:08.368Z

Updated: 2026-04-18T03:07:10.092Z

Reserved: 2026-04-10T20:22:44.036Z

Link: CVE-2026-40302

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-17T21:16:34.997

Modified: 2026-04-17T21:16:34.997

Link: CVE-2026-40302

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object