Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

INFO

Published Date :

2026-05-08T03:45:57.209Z

Last Modified :

2026-05-08T12:13:21.216Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-42275 vulnerability.

Vendors Products
Openziti
  • Zrok
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-42275.

URL Resource
https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e cve-icon cve-icon
https://github.com/openziti/zrok/releases/tag/v2.0.2 cve-icon cve-icon
https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact