High severityGHSA Advisory· Published May 19, 2026· Updated May 19, 2026
zrok copy writes attacker-controlled WebDAV paths outside the destination root
CVE-2026-45576
Description
Summary
Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.
Impact
Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openziti/zrok/v2Go | < 2.0.3 | 2.0.3 |
github.com/openziti/zrokGo | >= 0.4.23, <= 1.1.11 | — |
Affected products
1Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.