Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
Published: 2026-05-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

zrok’s WebDAV drive backend allowed symbolic links inside the configured DriveRoot to point outside that root. A remote WebDAV client can instruct the server to follow such links, causing the server to read any file on the host filesystem, and, if the zrok process has write access, to overwrite arbitrary files. This flaw facilitates unauthorized data exfiltration and file manipulation.

Affected Systems

The vulnerability affects all openziti zrok releases prior to v2.0.2. The issue was patched in the v2.0.2 release, which removes the symlink following behavior. All earlier versions remain vulnerable until upgraded.

Risk and Exploitability

With a CVSS score of 8.7, the flaw is considered high severity. Exploitation requires only a remote WebDAV request, which can be sent by any client that can reach the zrok service. No EPSS score is provided, and the vulnerability is not listed in CISA KEV. Because the attacker can read arbitrary files and potentially overwrite sensitive system or configuration files if they run with sufficient privileges, the impact may extend to configuration tampering, data leakage, or the insertion of malicious binaries that could later be executed.

Generated by OpenCVE AI on May 8, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zrok to version 2.0.2 or newer, which removes the symlink following flaw
  • Run the zrok process with the minimum privileges required, limiting its filesystem access to avoid writing to important system directories
  • If an immediate upgrade is not possible, enforce OS‑level permissions on the DriveRoot and any directories referenced by symlinks, ensuring that the zrok process cannot read or write outside the intended share

Generated by OpenCVE AI on May 8, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-74m3-9qvm-rp9h zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
History

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Netfoundry
Netfoundry zrok
CPEs cpe:2.3:a:netfoundry:zrok:*:*:*:*:*:*:*:*
Vendors & Products Netfoundry
Netfoundry zrok

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Openziti
Openziti zrok
Vendors & Products Openziti
Openziti zrok

Fri, 08 May 2026 04:00:00 +0000

Type Values Removed Values Added
Description zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
Title zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
Weaknesses CWE-22
CWE-61
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Netfoundry Zrok
Openziti Zrok
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T12:13:21.216Z

Reserved: 2026-04-26T11:53:27.708Z

Link: CVE-2026-42275

cve-icon Vulnrichment

Updated: 2026-05-08T12:13:18.022Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T04:16:22.823

Modified: 2026-05-08T20:03:27.130

Link: CVE-2026-42275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:00:11Z

Weaknesses