CVE-2026-40304: CWE-284: Improper Access Control in openziti zrok
CVE-2026-40304 is an improper access control vulnerability in openziti zrok versions prior to 2. 0. 1. The flaw exists in the unaccess handler where a logical error allows non-admin users to delete global frontend records without proper ownership verification. This can result in permanent deletion of global frontends, disrupting all public shares routed through them. The issue is patched in version 2. 0. 1.
AI Analysis
Technical Summary
The vulnerability in openziti zrok arises from a logical error in the ownership guard of the unaccess handler (controller/unaccess.go). Specifically, when a frontend record has environment_id set to NULL (indicating an admin-created global frontend), the condition that checks ownership short-circuits to false, allowing deletion without verifying if the requester is an admin. Consequently, a non-admin user who knows a global frontend token can invoke DELETE /api/v2/unaccess with any of their own environment IDs to delete the global frontend. This leads to denial of availability of all public shares dependent on that frontend. The vulnerability is fixed in version 2.0.1.
Potential Impact
The vulnerability allows a non-admin user with knowledge of a global frontend token to delete that global frontend permanently. This results in denial of service for all public shares routed through the deleted frontend. There is no confidentiality or integrity impact reported. The CVSS score is 5.3 (medium severity), reflecting a network attack vector with high attack complexity and low privileges required, causing availability disruption.
Mitigation Recommendations
Upgrade openziti zrok to version 2.0.1 or later, where this improper access control vulnerability is patched. Since no official vendor advisory or patch link is provided, verify the upgrade from the official openziti project sources. Until upgraded, restrict access to global frontend tokens and monitor for unauthorized DELETE /api/v2/unaccess requests if possible.
CVE-2026-40304: CWE-284: Improper Access Control in openziti zrok
Description
CVE-2026-40304 is an improper access control vulnerability in openziti zrok versions prior to 2. 0. 1. The flaw exists in the unaccess handler where a logical error allows non-admin users to delete global frontend records without proper ownership verification. This can result in permanent deletion of global frontends, disrupting all public shares routed through them. The issue is patched in version 2. 0. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in openziti zrok arises from a logical error in the ownership guard of the unaccess handler (controller/unaccess.go). Specifically, when a frontend record has environment_id set to NULL (indicating an admin-created global frontend), the condition that checks ownership short-circuits to false, allowing deletion without verifying if the requester is an admin. Consequently, a non-admin user who knows a global frontend token can invoke DELETE /api/v2/unaccess with any of their own environment IDs to delete the global frontend. This leads to denial of availability of all public shares dependent on that frontend. The vulnerability is fixed in version 2.0.1.
Potential Impact
The vulnerability allows a non-admin user with knowledge of a global frontend token to delete that global frontend permanently. This results in denial of service for all public shares routed through the deleted frontend. There is no confidentiality or integrity impact reported. The CVSS score is 5.3 (medium severity), reflecting a network attack vector with high attack complexity and low privileges required, causing availability disruption.
Mitigation Recommendations
Upgrade openziti zrok to version 2.0.1 or later, where this improper access control vulnerability is patched. Since no official vendor advisory or patch link is provided, verify the upgrade from the official openziti project sources. Until upgraded, restrict access to global frontend tokens and monitor for unauthorized DELETE /api/v2/unaccess requests if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T21:41:54.504Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2a83ebdfbbecc5994f134
Added to database: 4/17/2026, 9:38:06 PM
Last enriched: 4/17/2026, 9:53:35 PM
Last updated: 4/18/2026, 7:25:46 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.