CVE-2026-45576: zrok copy writes attacker-controlled WebDAV paths outside the destination root

May 19, 2026

Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice’s selected directory.

References

github.com/advisories/GHSA-c656-jcx2-7pqj
github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj
nvd.nist.gov/vuln/detail/CVE-2026-45576

Code Behaviors & Features

Detect and mitigate CVE-2026-45576 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →