CVE-2026-40303: CWE-400: Uncontrolled Resource Consumption in openziti zrok
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
AI Analysis
Technical Summary
The vulnerability in openziti zrok (CVE-2026-40303) arises from the endpoints.GetSessionCookie function, which parses a cookie chunk count supplied by an attacker and allocates memory with make([]string, count) without limiting the size. This lack of upper bound allows an unauthenticated remote attacker to trigger very large heap allocations on each request to an OAuth-protected proxy share, potentially leading to denial of service through process OOM termination or goroutine panics. Both publicProxy and dynamicProxy implementations are vulnerable. The issue is fixed in version 2.0.1.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause denial of service by forcing the application to allocate excessive memory, leading to process termination or instability. There is no impact on confidentiality or integrity reported. The main impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
Version 2.0.1 of openziti zrok patches this vulnerability. Users should upgrade to version 2.0.1 or later to remediate the issue. Patch status is confirmed by the versioning information. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-40303: CWE-400: Uncontrolled Resource Consumption in openziti zrok
Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in openziti zrok (CVE-2026-40303) arises from the endpoints.GetSessionCookie function, which parses a cookie chunk count supplied by an attacker and allocates memory with make([]string, count) without limiting the size. This lack of upper bound allows an unauthenticated remote attacker to trigger very large heap allocations on each request to an OAuth-protected proxy share, potentially leading to denial of service through process OOM termination or goroutine panics. Both publicProxy and dynamicProxy implementations are vulnerable. The issue is fixed in version 2.0.1.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause denial of service by forcing the application to allocate excessive memory, leading to process termination or instability. There is no impact on confidentiality or integrity reported. The main impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
Version 2.0.1 of openziti zrok patches this vulnerability. Users should upgrade to version 2.0.1 or later to remediate the issue. Patch status is confirmed by the versioning information. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.036Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2a136bdfbbecc5990836b
Added to database: 4/17/2026, 9:08:06 PM
Last enriched: 4/17/2026, 9:23:04 PM
Last updated: 4/21/2026, 3:45:59 AM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.