๐Ÿ” CVE Alert

CVE-2026-45576

UNKNOWN 0.0

zrok copy writes attacker-controlled WebDAV paths outside the destination root

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to FilesystemTarget.WriteStream, allowing the sync pipeline to write files outside the selected local filesystem destination root. This issue is fixed in version 2.0.3.

CWE CWE-22
Vendor openziti
Product zrok
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for openziti zrok

Be the first to know when new unknown vulnerabilities affecting openziti zrok are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

openziti / zrok
>= 0.4.23, < 2.0.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj github.com: https://github.com/openziti/zrok/commit/a5811e61589d2f804267c6de4a9056db1bdea457 github.com: https://github.com/openziti/zrok/releases/tag/v2.0.3