CVE-2026-45576 in zrok
Summary
by MITRE • 07/16/2026
zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, `zrok2 copy` stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to FilesystemTarget.WriteStream, allowing the sync pipeline to write files outside the selected local filesystem destination root. This issue is fixed in version 2.0.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in zrok software affects versions 0.4.23 through 2.0.3 and specifically impacts the `zrok2 copy` command functionality. This security flaw represents a path traversal vulnerability that allows attackers to manipulate file system operations by injecting malicious paths into the WebDAV or zrok drive references. The issue occurs when the system processes attacker-controlled input containing directory traversal sequences such as /../outside.txt within the source inventory. When these malformed paths are passed through the sync pipeline to FilesystemTarget.WriteStream, they bypass normal path validation mechanisms and enable unauthorized file system modifications outside of intended boundaries.
The technical implementation of this vulnerability stems from inadequate input sanitization and path validation within the zrok copy command processing pipeline. The system fails to properly validate or canonicalize file paths before executing file system operations, creating an opportunity for attackers to craft malicious paths that escape the designated root directory. This behavior directly violates secure coding principles and represents a classic path traversal attack vector where relative path components are used to navigate outside of expected directories. The vulnerability operates at the intersection of improper input validation and insufficient access control mechanisms, allowing arbitrary file system manipulation through seemingly legitimate copy operations.
From an operational impact perspective, this vulnerability enables attackers to write files to arbitrary locations on the target system's file system, potentially leading to privilege escalation, data exfiltration, or system compromise. The attack surface expands significantly since any user with access to the zrok copy functionality can exploit this weakness to modify files outside of their intended scope. This issue particularly affects environments where zrok is used for sharing web services and network resources, as it could allow unauthorized modification of critical system files or sensitive data repositories. The vulnerability could also enable attackers to establish persistence mechanisms by writing malicious files to system directories or configuration locations.
The security implications extend beyond simple file system traversal to encompass potential privilege escalation scenarios where attackers might leverage this weakness to gain elevated system access. This vulnerability aligns with CWE-22 Path Traversal and represents a specific implementation flaw that violates the principle of least privilege in file system operations. The ATT&CK framework categorizes this as a path traversal technique under the broader category of privilege escalation and persistence mechanisms. Organizations using zrok versions within the affected range should immediately implement mitigations including input validation, path canonicalization, and strict access controls to prevent exploitation.
Mitigation strategies for this vulnerability include upgrading to version 2.0.3 or later where the issue has been resolved through proper input sanitization and path validation. System administrators should implement comprehensive input validation for all file paths passed to file system operations, ensuring that relative path components are properly normalized and validated against a whitelist of acceptable directories. Additional protective measures include restricting permissions on zrok copy functionality, implementing strict directory access controls, and monitoring for unusual file system activity patterns. Organizations should also consider implementing network segmentation to limit access to zrok services and establish automated monitoring for potential exploitation attempts through path traversal vectors.