zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write — CVE-2026-42275
GitHub · GitHub · CVE-2026-42275
ID
CVE-2026-42275
CVE-2026-42275
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.7
8.7
EPSS
0.00041
0.00041
Summary
**Summary** The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok…
Product
go: github.com/openziti/zrok | go: github.com/openziti/zrok/v2
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.