Zrok copy writes attacker-controlled WebDAV paths outside the destination root

mike.gorman · May 13, 2026, 12:47pm

CVE-2026-45576

Summary

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.

Impact

Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users' credentials, allowing for sensitive information to be overwritten.

Package

zrok

Affected versions

>= 0.4.23, < 2.0.3

Patched versions

2.0.3

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N

Thanks go to aisafe-bot for reporting this issue.

Topic		Replies	Views
WebDAV with CORS General Questions	6	521	January 8, 2024
Zrok Python ProxyShare can be used as an SSRF proxy through absolute URL paths Security Adivsories	0	13	May 13, 2026
Zrok public file sharing query/problem zrok	1	19	July 3, 2025
Raw http services work, but things behind more complex setups like proxies, or laravel are having issues zrok	12	151	July 11, 2024
Cant forward to a Dedicated Custom Domain Name zrok	24	890	June 27, 2024