CVE-2026-45568
Awaiting Analysis Awaiting Analysis - Queue

Remote Code Execution in zrok Python SDK ProxyShare

Vulnerability report for CVE-2026-45568, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

zrok is software for sharing web services, files, and network resources. Prior to 2.0.3, zrok's Python SDK ProxyShare Flask proxy route accepts an absolute URL in the request path and passes it to urllib.parse.urljoin, allowing the requested path to replace the configured target host and causing requests.request to return a server-side response from an attacker-chosen URL. This issue is fixed in version 2.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openziti zrok to 2.0.3 (exc)
openziti zrok 2.0.3
zrok zrok to 2.0.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Server-Side Request Forgery (SSRF) vulnerability in zrok's Python SDK ProxyShare component affecting versions v0.4.47 through v2.0.2. It allows attackers to bypass intended access restrictions by providing absolute URLs in request paths. The proxy uses urllib.parse.urljoin to process these paths, which replaces the intended target host with the attacker's specified host. This causes the proxy to forward requests to arbitrary internal or external systems instead of the configured target.

Detection Guidance

To detect this SSRF vulnerability in zrok's Python SDK ProxyShare, check if your zrok version is below 2.0.3. Run: zrok version. If the version is v0.4.47 through v2.0.2, the system is vulnerable. Monitor network traffic for unexpected requests to internal or loopback addresses (e.g., 127.0.0.1, ::1) from zrok processes.

Impact Analysis

This vulnerability enables unauthorized access to sensitive services or data by bypassing security controls. It impacts confidentiality and integrity of both the vulnerable system and subsequent systems with high severity. Attackers could access internal services, loopback addresses, or external systems not intended to be exposed through the proxy.

Compliance Impact

This SSRF vulnerability could lead to unauthorized access to sensitive data or internal services, which may violate GDPR's data protection requirements or HIPAA's safeguards for protected health information. Unauthorized exposure of personal or health data could result in non-compliance with these regulations.

Mitigation Strategies

Upgrade zrok to version 2.0.3 or later immediately. If upgrading is not possible, restrict network access to zrok instances and disable ProxyShare functionality. Review proxy logs for suspicious requests and block absolute URL paths in request handling.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart