CVE-2026-40303 - Vulnerability Details

- zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.

Published: 2026-04-17

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

zrok, an open-source tool for sharing web services, contains a flaw that allows a remote attacker to trigger gigabyte‑scale heap allocations by sending a specially crafted cookie when accessing an OAuth‑protected proxy. The endpoint parses an attacker‑supplied cookie chunk count and creates a slice of that size before validating the token, exposing the process to uncontrolled memory usage. Failure to limit the allocation can cause the zrok process to be terminated by the operating system due to out‑of‑memory or repeatedly panic, resulting in a denial of service for all users sharing that endpoint.

Affected Systems

The vulnerability affects the openziti:zrok service on all versions prior to 2.0.1, impacting both the publicProxy and dynamicProxy configurations. Version 2.0.1 and later contain the fix that limits the size of the cookie chunk count during parsing.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the lack of an EPSS value means current exploitation propensity is unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers only need to craft a request to an OAuth‑protected proxy; no authentication is required, so any external host can trigger the issue. Once activated, the memory exhaustion leads to service degradation or termination, which can be leveraged in targeted denial‑of‑service attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openziti

zrok

affected

Version	Status	Constraints
`< 2.0.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to zrok 2.0.1 or later to apply the patched cookie size validation.
If an update is not immediately possible, apply rate‑limiting to requests against the OAuth‑protected proxy endpoints to reduce the impact of repeated malicious requests.
Consider disabling publicProxy and dynamicProxy features until the patch is deployed, or use network‑level controls such as firewall rules to block or monitor anomalous request patterns that could trigger memory exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 08:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cpf9-ph2j-ccr9	zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openziti/zrok/releases/tag/v2.0.1
https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9

History

Fri, 17 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
Title		zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
Weaknesses		CWE-400 CWE-789
References		https://github.com/openziti/zrok/releases/tag/v2.0.1 https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T21:01:51.899Z

Updated: 2026-04-17T21:01:51.899Z

Reserved: 2026-04-10T20:22:44.036Z

Link: CVE-2026-40303

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-17T21:16:35.140

Modified: 2026-04-17T21:16:35.140

Link: CVE-2026-40303

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object