Vulnerability-Lookup

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

Apply ordering (override relevance)

Related vulnerabilities

GHSA-C656-JCX2-7PQJ

Vulnerability from github – Published: 2026-05-19 15:38 – Updated: 2026-05-19 15:38

Summary

zrok copy writes attacker-controlled WebDAV paths outside the destination root

Details

Summary

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.

Impact

Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

Severity

8.3 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.23"
            },
            {
              "last_affected": "1.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:38:56Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAlice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice\u0027s selected directory.\n\n### Impact\nUsers given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.",
  "id": "GHSA-c656-jcx2-7pqj",
  "modified": "2026-05-19T15:38:57Z",
  "published": "2026-05-19T15:38:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openziti/zrok"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "zrok copy writes attacker-controlled WebDAV paths outside the destination root"
}