CVE-2026-40304
Received Received - Intake
Authorization Bypass in zrok Unaccess Handler Allows Deletion

Publication date: 2026-04-17

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40304
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netfoundry zrok to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in zrok software versions prior to 2.0.1. It involves a logical error in the ownership guard of the unaccess handler. Specifically, when a frontend record has an environment_id set to NULL (indicating an admin-created global frontend), the condition meant to verify ownership incorrectly short-circuits to false. This flaw allows a non-admin user who knows a global frontend token to delete that global frontend by calling the DELETE /api/v2/unaccess endpoint with any of their own environment IDs, bypassing ownership verification.

As a result, the global frontend can be permanently deleted, which affects all public shares routed through it. The issue was fixed in version 2.0.1.

Impact Analysis

The vulnerability allows a non-admin user to delete a global frontend without proper authorization. This can lead to the permanent removal of the global frontend, causing all public shares that rely on it to become unavailable.

  • Denial of service for users relying on public shares through the affected global frontend.
  • Potential disruption of business operations or services that depend on these public shares.
Mitigation Strategies

To mitigate this vulnerability, upgrade zrok to version 2.0.1 or later, as this version patches the logical error allowing unauthorized deletion of global frontends.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart