CVE-2026-40302
Cross-Site Scripting in zrok OAuth Callback via Unescaped Input
Publication date: 2026-04-17
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netfoundry | zrok | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the zrok software prior to version 2.0.1. The issue arises because the proxyUi template engine uses Go's text/template, which does not perform HTML escaping, instead of html/template. Specifically, the GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter directly into an error message without escaping it. When time.ParseDuration fails, this error message is rendered unescaped into HTML. An attacker can exploit this by crafting a malicious login URL that, after the victim completes the GitHub OAuth flow, causes the callback page to execute arbitrary JavaScript in the OAuth server's origin.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks, allowing an attacker to execute arbitrary JavaScript in the context of the OAuth server's origin. This can result in unauthorized actions being performed on behalf of the victim, theft of sensitive information such as authentication tokens or cookies, and potential compromise of user accounts or sessions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade zrok to version 2.0.1 or later, as this version patches the issue with the proxyUi template engine and the GitHub OAuth callback handlers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary JavaScript in the OAuth server's origin by embedding attacker-controlled input into an error message without proper HTML escaping. This can lead to cross-site scripting (XSS) attacks, potentially exposing sensitive user information or session data.
Such exposure and unauthorized access to user data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of authentication processes.
However, the provided information does not explicitly state the direct impact on compliance with these standards.