CVE-2026-45576
openziti · zrok
A path traversal vulnerability in zrok allows remote, unauthenticated attackers to manipulate file paths and potentially impact system integrity.
Executive summary
An unauthenticated path traversal vulnerability in the openziti zrok software permits unauthorized file access and manipulation, necessitating an urgent update to version 2.0.3.
Vulnerability
This is a path traversal vulnerability (CWE-22) that can be triggered by an unauthenticated attacker. The vulnerability allows the attacker to manipulate pathnames, which could lead to unauthorized read or write access to files outside of the intended directory.
Business impact
The vulnerability carries a CVSS score of 8.3, reflecting its potential for significant impact on data integrity and confidentiality. Successful exploitation could allow an attacker to bypass security controls, leading to unauthorized modification of system resources or disclosure of sensitive information.
Remediation
Immediate Action: Update zrok to version 2.0.3 immediately to address the path traversal vulnerability.
Proactive Monitoring: Review application logs for unusual path traversal attempts or unauthorized access requests targeting sensitive system files.
Compensating Controls: Utilize a Web Application Firewall to inspect and sanitize incoming traffic, blocking requests that exhibit directory traversal sequences.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the potential for severe impact, organizations using zrok must treat this update with high priority. Promptly applying the patch to version 2.0.3 is the most effective way to eliminate the risk of path traversal attacks.