Home

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M




HIGH: 8.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-61: UNIX Symbolic Link (Symlink) Following

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 2.0.2
affected

References

github.com/...i/zrok/security/advisories/GHSA-74m3-9qvm-rp9h

github.com/...ommit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e

github.com/openziti/zrok/releases/tag/v2.0.2

cve.org (CVE-2026-42275)

nvd.nist.gov (CVE-2026-42275)

Download JSON