CVE-2026-42275: CWE-61: UNIX Symbolic Link (Symlink) Following in openziti zrok
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
AI Analysis
Technical Summary
The vulnerability arises because the zrok WebDAV backend (davServer.Dir) performs lexical normalization to restrict path traversal but does not prevent following symbolic links that point outside the shared DriveRoot. This allows remote users to leverage symlinks to access or modify files beyond the designated share root, potentially compromising system integrity. The vulnerability is tracked as CWE-61 (Improper Restriction of Symbolic Links) and CWE-22 (Path Traversal). It has a CVSS 3.1 score of 8.7, indicating high severity. The issue is fixed in zrok version 2.0.2.
Potential Impact
Exploitation of this vulnerability allows remote unauthenticated attackers to read arbitrary files outside the shared directory via WebDAV. Additionally, if the underlying OS permissions on the shared files are not restrictive, attackers can write or overwrite files anywhere accessible to the zrok process, potentially leading to system compromise or data tampering. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade zrok to version 2.0.2 or later, where this vulnerability has been patched. Since no official remediation level or patch links are provided beyond the version update, applying this version upgrade is the recommended action. Patch status is confirmed by the vendor's versioning information. No additional mitigations are indicated.
CVE-2026-42275: CWE-61: UNIX Symbolic Link (Symlink) Following in openziti zrok
Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the zrok WebDAV backend (davServer.Dir) performs lexical normalization to restrict path traversal but does not prevent following symbolic links that point outside the shared DriveRoot. This allows remote users to leverage symlinks to access or modify files beyond the designated share root, potentially compromising system integrity. The vulnerability is tracked as CWE-61 (Improper Restriction of Symbolic Links) and CWE-22 (Path Traversal). It has a CVSS 3.1 score of 8.7, indicating high severity. The issue is fixed in zrok version 2.0.2.
Potential Impact
Exploitation of this vulnerability allows remote unauthenticated attackers to read arbitrary files outside the shared directory via WebDAV. Additionally, if the underlying OS permissions on the shared files are not restrictive, attackers can write or overwrite files anywhere accessible to the zrok process, potentially leading to system compromise or data tampering. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade zrok to version 2.0.2 or later, where this vulnerability has been patched. Since no official remediation level or patch links are provided beyond the version update, applying this version upgrade is the recommended action. Patch status is confirmed by the vendor's versioning information. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.708Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd5dc1cbff5d86108b649e
Added to database: 5/8/2026, 3:51:29 AM
Last enriched: 5/8/2026, 4:06:20 AM
Last updated: 5/9/2026, 3:47:55 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.