CVE 8.7 HIGH

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write_CVE-2026-42275

May 7, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

AI Analysis

zrok WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

Basic Information

ID CVE-2026-42275

Source GitHub_M

Published May 8, 2026 at 03:45

Affected Product

Vendor openziti

Product zrok

Version < 2.0.2

Affected Versions openziti zrok < 2.0.2

CWE Classification

CWE-61 CWE-22

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor openziti

Product zrok

Version < 2.0.2

References

{
    "lastseen": "",
    "description": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and\u2014on shares without OS-level permission restrictions\u2014write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.",
    "published": "2026-05-08T03:45:57.209Z",
    "modified": "2026-05-08T03:45:57.209Z",
    "type": "cve",
    "title": "zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write",
    "source": "GitHub_M",
    "references": "https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h\nhttps://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e\nhttps://github.com/openziti/zrok/releases/tag/v2.0.2",
    "id": "CVE-2026-42275",
    "bulletinFamily": "",
    "cwe": [
        "CWE-61",
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "openziti zrok < 2.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zrok",
    "version": "< 2.0.2",
    "vendor": "openziti",
    "ai_description": "zrok WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write",
    "ai_severity": "High",
    "ai_vendor": "openziti",
    "ai_product": "zrok",
    "ai_version": "< 2.0.2",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply