VYPR
High severityGHSA Advisory· Published May 19, 2026· Updated May 19, 2026

zrok copy writes attacker-controlled WebDAV paths outside the destination root

CVE-2026-45576

Description

Summary

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.

Impact

Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openziti/zrok/v2Go
< 2.0.32.0.3
github.com/openziti/zrokGo
>= 0.4.23, <= 1.1.11

Affected products

1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.