Skip to content

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

High severity GitHub Reviewed Published Apr 21, 2026 in openziti/zrok • Updated May 12, 2026

Package

gomod github.com/openziti/zrok (Go)

Affected versions

<= 1.1.11

Patched versions

None
gomod github.com/openziti/zrok/v2 (Go)
< 2.0.2
2.0.2

Description

Summary
The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process.

  • Attack Vector: Network — exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL.
  • Attack Complexity: High — a precondition outside the attacker's direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV).
  • Privileges Required: None — zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default.
  • User Interaction: None — once the symlink precondition is met, exploitation requires no user interaction.
  • Scope: Changed — the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem.
  • Confidentiality Impact: High — arbitrary files readable by the zrok process can be retrieved.
  • Integrity Impact: High — the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys).
  • Availability Impact: None — no direct availability impact.

Affected Components

  • drives/davServer/file.go — Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151)
  • endpoints/drive/backend.go — NewBackend (line 51–52)

References

@mikegorman-nf mikegorman-nf published to openziti/zrok Apr 21, 2026
Published to the GitHub Advisory Database Apr 25, 2026
Reviewed Apr 25, 2026
Published by the National Vulnerability Database May 8, 2026
Last updated May 12, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(19th percentile)

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. Learn more on MITRE.

CVE ID

CVE-2026-42275

GHSA ID

GHSA-74m3-9qvm-rp9h

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.