CVE-2026-40304
Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openziti/zrokGo | <= 1.1.11 | — |
github.com/openziti/zrok/v2Go | < 2.0.1 | 2.0.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3jpj-v3xr-5h6gghsaADVISORY
- github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6gnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40304ghsaADVISORY
- github.com/openziti/zrok/releases/tag/v2.0.1nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.