Home / Vulnerability Intelligence / CVE-2026-42275

CVE-2026-42275 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: May 8, 2026

zrok - Path Traversal

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

zrok < 2.0.2 contains a path traversal caused by symlink following in the WebDAV drive backend, letting remote WebDAV consumers read and write files outside the shared root, exploit requires no special privileges.

Severity & Score

Severity: High

CVSS Score: 8.7

Impact

Remote attackers can read and write arbitrary files on the host filesystem accessible to the zrok process, risking data compromise and system integrity.

Mitigation

Update to version 2.0.2 or later.

References

https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e
https://github.com/openziti/zrok/releases/tag/v2.0.2
https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42275
Severity: High
CVSS Score: 8.7
Type: path_traversal
Status: confirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N