CVE-2026-42275
Symlink Following in zrok WebDAV Drive Backend
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netfoundry | zrok | to 2.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in zrok's WebDAV drive backend (prior to version 2.0.2) arises because it restricts path traversal through lexical normalization but does not prevent following symbolic links (symlinks). This means if a symlink inside the shared DriveRoot points to a location outside that root, remote WebDAV users can read files outside the intended directory.
Furthermore, on shares without operating system-level permission restrictions, attackers can write or overwrite files anywhere on the host filesystem accessible to the zrok process. Exploitation requires a pre-existing symlink inside the DriveRoot that points outside, but once that condition is met, no user interaction or authentication is needed.
This vulnerability is classified under CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following), highlighting the failure to properly restrict file access and handle symlinks securely.
How can this vulnerability impact me? :
This vulnerability can have a significant impact on the confidentiality and integrity of your system's files. An attacker exploiting this issue can read sensitive files outside the intended shared directory.
If the shared drive does not have OS-level permission restrictions, the attacker can also write or overwrite files anywhere on the host filesystem accessible to the zrok process, potentially leading to data corruption, unauthorized data modification, or further system compromise.
The attack is network-based and requires no authentication by default, increasing the risk if public shares are exposed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves symlink traversal in the zrok WebDAV drive backend, where symbolic links inside the shared DriveRoot point to locations outside that root. Detection involves identifying such symlinks within the DriveRoot directory that resolve outside the intended shared directory.
To detect potential exploitation or presence of this vulnerability on your system, you can scan the DriveRoot directory for symbolic links that point outside the DriveRoot path. For example, using Unix/Linux commands:
- Find all symbolic links inside the DriveRoot directory: `find /path/to/DriveRoot -type l`
- For each symlink found, check where it points to with: `readlink -f <symlink>` and verify if the resolved path is outside the DriveRoot.
- Monitor network traffic for WebDAV requests accessing files outside the expected directory, which may indicate exploitation attempts.
Note that exploitation requires a pre-existing symlink inside DriveRoot pointing outside, so detection focuses on identifying such symlinks and monitoring WebDAV access patterns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in zrok's WebDAV drive backend allows unauthorized remote users to read and potentially write or overwrite files outside the intended shared directory on the host filesystem. This unauthorized access can lead to exposure or modification of sensitive data.
Such unauthorized access and potential data breaches could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over the confidentiality and integrity of sensitive personal and health information.
Because the vulnerability enables attackers to bypass intended access controls and access broader parts of the filesystem, it increases the risk of data leakage or tampering, which are critical concerns under these regulations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the zrok software to version 2.0.2 or later, where this vulnerability has been patched.
The fix in version 2.0.2 introduces a path resolution function that prevents symlink traversal outside the configured shared directory, effectively blocking unauthorized file access.
Additionally, as an immediate measure before upgrading, you should:
- Remove or restrict any symbolic links inside the DriveRoot directory that point outside the shared directory.
- Apply OS-level permission restrictions on the shared directories to limit write access and reduce the risk of unauthorized file modifications.
- Restrict or monitor WebDAV access, especially on public shares that do not require authentication, to prevent unauthorized exploitation.