Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/openziti/zrok) · only source for this CVE.
CVSS VectorVendor: https://github.com/openziti/zrok
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Summary
Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.
Impact
Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.
AnalysisAI
Directory traversal in openziti zrok's drive sync pipeline allows a malicious WebDAV/zrok share operator to write files outside the victim's chosen destination when the victim runs 'zrok2 copy'. Because the sync code trusts the server-supplied DAV 'href' (e.g. '/../outside.txt') and joins it to the local target root before calling FilesystemTarget.WriteStream, a hostile share can overwrite sensitive files anywhere the copying user's credentials permit. No public exploit identified at time of analysis and EPSS is low (0.06%), but the vendor has shipped a fix (v2.0.3) and the root cause is confirmed in the commit diff.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44973
GHSA-c656-jcx2-7pqj