CVE-2026-42275

High

Published: 08 May 2026

Published

08 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0004 11.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared…

DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

Security SummaryAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-22 CWE-61

Affected Products

netfoundry

zrok

≤ 2.0.2

References

https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e
Patch · security-advisories@github.com
https://github.com/openziti/zrok/releases/tag/v2.0.2
Product, Release Notes · security-advisories@github.com
https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h
Vendor Advisory · security-advisories@github.com