Description
ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.
Published: 2026-05-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zebra's JSON‑RPC HTTP middleware treats a truncated request as an unrecoverable error and aborts the node. As a result, an authenticated RPC client can cause the node to crash by disconnecting before the full request body arrives, leading to a denial of service. The weakness is a failure to gracefully handle partial input (CWE‑248) and an inadequate check for correctly formatted requests (CWE‑617).

Affected Systems

ZcashFoundation's Zebra node is affected. Specifically, zebrad versions 2.2.0 through 4.3.0 and zebra‑rpc versions 1.0.0‑beta.45 through 6.0.1 are vulnerable. Versions 4.3.1 of zebrad and 6.0.2 of zebra‑rpc include the fix.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents moderate severity. Because it requires an authenticated client, full exploitation still demands valid RPC credentials, but an attacker with those credentials can reliably cause a node crash. EPSS is not published, and the flaw is not listed in CISA’s KEV catalog, indicating no confirmed exploits yet. Nevertheless, the capability to crash a node warrants timely patching.

Generated by OpenCVE AI on May 8, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update zebrad to version 4.3.1 or later.
  • Update zebra‑rpc to version 6.0.2 or later.
  • Restrict or monitor RPC access to prevent repeated disconnect attacks, such as by enforcing connection timeouts or rate limits.

Generated by OpenCVE AI on May 8, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29x4-r6jv-ff4w Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients
History

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Zfnd
Zfnd zebra-rpc
Zfnd zebrad
CPEs cpe:2.3:a:zfnd:zebra-rpc:*:*:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-rpc:1.0.0:-:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta45:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebra-rpc:1.0.0:beta46:*:*:*:rust:*:*
cpe:2.3:a:zfnd:zebrad:*:*:*:*:*:rust:*:*
Vendors & Products Zfnd
Zfnd zebra-rpc
Zfnd zebrad
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2.
Title ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients
Weaknesses CWE-248
CWE-617
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Zfnd Zebra-rpc Zebrad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:27:04.066Z

Reserved: 2026-04-21T14:15:21.959Z

Link: CVE-2026-41585

cve-icon Vulnrichment

Updated: 2026-05-08T17:12:47.835Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:41.400

Modified: 2026-05-08T18:19:56.697

Link: CVE-2026-41585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T00:15:20Z

Weaknesses