CVE-2026-40303: CWE-400: Uncontrolled Resource Consumption in openziti zrok
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
AI Analysis
Technical Summary
The vulnerability in openziti zrok (CVE-2026-40303) involves the GetSessionCookie function parsing an attacker-controlled cookie chunk count without an upper bound before validating tokens. This allows an unauthenticated remote attacker to cause excessive memory allocation by calling make([]string, count) with a large count value. The flaw is exploitable on every request to an OAuth-protected proxy share, impacting both publicProxy and dynamicProxy. The resulting uncontrolled resource consumption can cause the process to run out of memory or experience repeated goroutine panics, leading to denial of service. The issue is fixed in version 2.0.1.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause denial of service by triggering large heap allocations that exhaust system memory, resulting in process termination or instability. There is no impact on confidentiality or integrity as per the CVSS vector, but availability is severely affected.
Mitigation Recommendations
Version 2.0.1 of openziti zrok patches this vulnerability. Users should upgrade to version 2.0.1 or later to remediate the issue. Since no official remediation level or patch link is provided beyond this version information, verify with the vendor's advisory for the latest updates. Until patched, consider restricting access to OAuth-protected proxy shares or implementing rate limiting to reduce exposure.
CVE-2026-40303: CWE-400: Uncontrolled Resource Consumption in openziti zrok
Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in openziti zrok (CVE-2026-40303) involves the GetSessionCookie function parsing an attacker-controlled cookie chunk count without an upper bound before validating tokens. This allows an unauthenticated remote attacker to cause excessive memory allocation by calling make([]string, count) with a large count value. The flaw is exploitable on every request to an OAuth-protected proxy share, impacting both publicProxy and dynamicProxy. The resulting uncontrolled resource consumption can cause the process to run out of memory or experience repeated goroutine panics, leading to denial of service. The issue is fixed in version 2.0.1.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause denial of service by triggering large heap allocations that exhaust system memory, resulting in process termination or instability. There is no impact on confidentiality or integrity as per the CVSS vector, but availability is severely affected.
Mitigation Recommendations
Version 2.0.1 of openziti zrok patches this vulnerability. Users should upgrade to version 2.0.1 or later to remediate the issue. Since no official remediation level or patch link is provided beyond this version information, verify with the vendor's advisory for the latest updates. Until patched, consider restricting access to OAuth-protected proxy shares or implementing rate limiting to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.036Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2a136bdfbbecc5990836b
Added to database: 4/17/2026, 9:08:06 PM
Last enriched: 4/25/2026, 2:50:43 AM
Last updated: 6/5/2026, 12:16:03 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.