CVE-2026-45576
Awaiting Analysis Awaiting Analysis - Queue

zrok Copy Path Traversal Vulnerability

Vulnerability report for CVE-2026-45576, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to FilesystemTarget.WriteStream, allowing the sync pipeline to write files outside the selected local filesystem destination root. This issue is fixed in version 2.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
openziti zrok From 0.4.23 (exc) to 2.0.3 (inc)
openziti zrok 2.0.3
openziti zrok From 0.4.23|end_excluding=2.0.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal flaw in the zrok software affecting versions 0.4.23 to 2.0.2. The issue occurs in the zrok copy command when using WebDAV or zrok drives. Attackers can manipulate file paths using sequences like /../outside.txt to write files outside the intended destination directory on the local filesystem.

Detection Guidance

Check if your zrok version is between 0.4.23 and below 2.0.3 by running: zrok version. If affected, inspect logs for suspicious file operations or directory traversal attempts in WebDAV or zrok drive paths.

Impact Analysis

An attacker could overwrite sensitive files on your system using your credentials. This could lead to data corruption, unauthorized access to confidential information, or disruption of services relying on those files. The vulnerability requires network access but no special privileges or user interaction.

Compliance Impact

This vulnerability could lead to unauthorized file access or modification, potentially violating data integrity and confidentiality requirements in GDPR and HIPAA. Organizations using affected zrok versions may face compliance violations if sensitive data is exposed or altered.

Mitigation Strategies

Upgrade zrok to version 2.0.3 or later immediately. Disable WebDAV or zrok drive features if not required. Review filesystem permissions and audit logs for unauthorized file writes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart