CVE-2026-45576
zrok copy writes attacker-controlled WebDAV paths outside the destination root
Published: 5/19/2026Modified: 5/19/2026
Also known as:GHSA-c656-jcx2-7pqj
Description
## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.
Affected packages (2)
- Go/github.com/openziti/zrok>= 0.4.23, <= 1.1.11
- Go/github.com/openziti/zrok/v2from 0, < 2.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N |