CVE-2026-45568

openziti · zrok

The zrok Python SDK proxy route is vulnerable to a server-side request forgery flaw, allowing attackers to force the proxy to return responses from arbitrary URLs.

Executive summary

A critical server-side request forgery vulnerability in the zrok Python SDK enables attackers to redirect proxy requests to arbitrary external or internal targets, risking sensitive data exposure.

Vulnerability

The vulnerability exists in the Flask proxy route, which accepts an absolute URL in the request path and improperly passes it to urljoin. This allows an unauthenticated attacker to manipulate the request path to point to an attacker-controlled host, causing the application to proxy requests to unintended locations.

Business impact

This flaw can be leveraged to perform server-side request forgery, potentially allowing attackers to access internal network resources or exfiltrate sensitive configuration data. Given the CVSS score of 9.9, the impact on confidentiality and integrity is severe, as it bypasses intended network boundaries.

Remediation

Immediate Action: Update the zrok software to version 2.0.3 or later to fix the path traversal and proxy logic.

Proactive Monitoring: Inspect web access logs for requests containing absolute URLs in the path or suspicious outbound traffic originating from the zrok proxy service.

Compensating Controls: Deploy a Web Application Firewall to filter requests that contain suspicious path patterns or attempt to access unauthorized external domains.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Organizations utilizing zrok for resource sharing must update to version 2.0.3 immediately. This update is necessary to prevent unauthorized proxying and to protect internal services from potential exposure.