Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Denial of Service
Action: Apply Patch
AI Analysis

Impact

The logic error in controller/unaccess.go causes the ownership guard to fail when environment_id is NULL, i.e., for admin‑created global frontends. The condition short‑circuits to false, so the check is bypassed. A non‑admin user who knows the global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs, permanently deleting the global frontend. This removes the routing point that all public shares use, effectively denying service to all users relying on those shares. The flaw is a classic broken access‑control (CWE‑284) combined with an inverse‑logic error (CWE‑863).

Affected Systems

The vulnerability affects the openziti zrok service version prior to 2.0.1. Any deployment that exposes the DELETE /api/v2/unaccess endpoint for frontends created without an environment ID is impacted. Version 2.0.1 and later incorporate the fix, so only older builds are at risk. There are no other vendor or product listings for this issue.

Risk and Exploitability

With a CVSS score of 5.3 the bug falls in the medium severity range. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, so the current probability of exploitation is unknown but the presence of a documented remote API endpoint suggests that an attacker who obtains a global frontend token could perform the deletion with minimal effort. The attack vector is remote, via an HTTP DELETE request. The lack of an official workaround means patching is the only reliable mitigation.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zrok to version 2.0.1 or newer to apply the fix.
  • If an upgrade cannot be performed immediately, remove or revoke any global frontend tokens that are currently exposed in your environment to prevent unauthorized DELETE operations.
  • Enforce strict API rate limiting and monitor DELETE requests to the /api/v2/unaccess endpoint for anomalous activity.

Generated by OpenCVE AI on April 18, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3jpj-v3xr-5h6g zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records
History

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Netfoundry
Netfoundry zrok
CPEs cpe:2.3:a:netfoundry:zrok:*:*:*:*:*:*:*:*
Vendors & Products Netfoundry
Netfoundry zrok

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Openziti
Openziti zrok
Vendors & Products Openziti
Openziti zrok
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
Title zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records
Weaknesses CWE-284
CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Netfoundry Zrok
Openziti Zrok
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:57:24.486Z

Reserved: 2026-04-10T21:41:54.504Z

Link: CVE-2026-40304

cve-icon Vulnrichment

Updated: 2026-04-20T14:51:37.103Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-17T22:16:32.230

Modified: 2026-04-23T18:33:27.567

Link: CVE-2026-40304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:32Z

Weaknesses