Path Traversal Vulnerability in Zrok WebDAV Software
CVE-2026-42275

8.7HIGH

Key Information:

Vendor

Openziti

Status
Zrok
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42275?

Zrok, a software solution for sharing web services and files, contains a flaw in its WebDAV drive backend, which allows remote WebDAV clients to bypass path restrictions. This occurs due to improper handling of symbolic links in shared drives that point outside the designated root directory. Without sufficient OS-level permission controls, this vulnerability can lead to unauthorized reading of sensitive files and potential overwrites in the host filesystem. The issue has been resolved in version 2.0.2, underscoring the importance of keeping software up to date to mitigate security risks.

Affected Version(s)

zrok < 2.0.2

References

https://github.com/openziti/zrok/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/openziti/zrok/commit/459bcfc1e121decae...
x_refsource_MISC
https://github.com/openziti/zrok/releases/tag/v2.0.2
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.