CVE-2026-42275
Analyzed Analyzed - Analysis Complete
Symlink Following in zrok WebDAV Drive Backend

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files andβ€”on shares without OS-level permission restrictionsβ€”write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42275
EUVD
EUVD-2026-28511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netfoundry zrok to 2.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in zrok's WebDAV drive backend (prior to version 2.0.2) arises because it restricts path traversal through lexical normalization but does not prevent following symbolic links (symlinks). This means if a symlink inside the shared DriveRoot points to a location outside that root, remote WebDAV users can read files outside the intended directory.

Furthermore, on shares without operating system-level permission restrictions, attackers can write or overwrite files anywhere on the host filesystem accessible to the zrok process. Exploitation requires a pre-existing symlink inside the DriveRoot that points outside, but once that condition is met, no user interaction or authentication is needed.

This vulnerability is classified under CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following), highlighting the failure to properly restrict file access and handle symlinks securely.

Impact Analysis

This vulnerability can have a significant impact on the confidentiality and integrity of your system's files. An attacker exploiting this issue can read sensitive files outside the intended shared directory.

If the shared drive does not have OS-level permission restrictions, the attacker can also write or overwrite files anywhere on the host filesystem accessible to the zrok process, potentially leading to data corruption, unauthorized data modification, or further system compromise.

The attack is network-based and requires no authentication by default, increasing the risk if public shares are exposed.

Detection Guidance

This vulnerability involves symlink traversal in the zrok WebDAV drive backend, where symbolic links inside the shared DriveRoot point to locations outside that root. Detection involves identifying such symlinks within the DriveRoot directory that resolve outside the intended shared directory.

To detect potential exploitation or presence of this vulnerability on your system, you can scan the DriveRoot directory for symbolic links that point outside the DriveRoot path. For example, using Unix/Linux commands:

  • Find all symbolic links inside the DriveRoot directory: `find /path/to/DriveRoot -type l`
  • For each symlink found, check where it points to with: `readlink -f <symlink>` and verify if the resolved path is outside the DriveRoot.
  • Monitor network traffic for WebDAV requests accessing files outside the expected directory, which may indicate exploitation attempts.

Note that exploitation requires a pre-existing symlink inside DriveRoot pointing outside, so detection focuses on identifying such symlinks and monitoring WebDAV access patterns.

Mitigation Strategies

The primary mitigation step is to upgrade the zrok software to version 2.0.2 or later, where this vulnerability has been patched.

The fix in version 2.0.2 introduces a path resolution function that prevents symlink traversal outside the configured shared directory, effectively blocking unauthorized file access.

Additionally, as an immediate measure before upgrading, you should:

  • Remove or restrict any symbolic links inside the DriveRoot directory that point outside the shared directory.
  • Apply OS-level permission restrictions on the shared directories to limit write access and reduce the risk of unauthorized file modifications.
  • Restrict or monitor WebDAV access, especially on public shares that do not require authentication, to prevent unauthorized exploitation.
Compliance Impact

The vulnerability in zrok's WebDAV drive backend allows unauthorized remote users to read and potentially write or overwrite files outside the intended shared directory on the host filesystem. This unauthorized access can lead to exposure or modification of sensitive data.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of sensitive personal and health information.

Because the vulnerability enables attackers to bypass intended access controls and access broader parts of the filesystem, it increases the risk of data leakage or tampering, which are critical concerns under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42275. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart