CVE-2026-40304 MEDIUM

CVE-2026-40304: zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

Vendor Openziti
Product zrok
Weakness CWE-284
Published April 17, 2026
Last update April 20, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.

Key dates

02Disclosure timeline

April 17, 2026 CVE published
April 20, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-33415 Discourse: Improper Access Control in discourse-ai Allows Unauthorized Category Content Exposure CVE-2023-25161 Nextcloud Server's missing rate limiting on password reset functionality allows sending lots of emails CVE-2024-21666 Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list CVE-2025-43586 Adobe Commerce | Improper Access Control (CWE-284) CVE-2026-27449 Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints