CVE-2026-42275 HIGH

CVE-2026-42275: zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

Vendor Openziti
Product zrok
Weakness CWE-61
Published May 8, 2026
Last update May 8, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated