Skip to main content

CVE-2026-45576

| EUVDEUVD-2026-44973 HIGH
Path Traversal (CWE-22)
2026-05-19 https://github.com/openziti/zrok GHSA-c656-jcx2-7pqj
8.3
CVSS 4.0 · Vendor: https://github.com/openziti/zrok
Share

Severity by source

Vendor (https://github.com/openziti/zrok) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/openziti/zrok) · only source for this CVE.

CVSS VectorVendor: https://github.com/openziti/zrok

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 16, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 16, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jul 16, 2026 - 17:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
May 19, 2026 - 16:31 vuln.today
Analysis Generated
May 19, 2026 - 16:31 vuln.today

DescriptionCVE.org

Summary

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.

Impact

Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

AnalysisAI

Directory traversal in openziti zrok's drive sync pipeline allows a malicious WebDAV/zrok share operator to write files outside the victim's chosen destination when the victim runs 'zrok2 copy'. Because the sync code trusts the server-supplied DAV 'href' (e.g. '/../outside.txt') and joins it to the local target root before calling FilesystemTarget.WriteStream, a hostile share can overwrite sensitive files anywhere the copying user's credentials permit. No public exploit identified at time of analysis and EPSS is low (0.06%), but the vendor has shipped a fix (v2.0.3) and the root cause is confirmed in the commit diff.

Share

CVE-2026-45576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy