CVE-2026-40303 HIGH

CVE-2026-40303: zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

Vendor Openziti
Product zrok
Weakness CWE-400
Published April 17, 2026
Last update April 20, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.

Key dates

02Disclosure timeline

April 17, 2026 CVE published
April 20, 2026 Record updated