CVE-2026-45568: rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

May 19, 2026

Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice’s configured target host with Bob’s host and returns the server-side response to Bob.

References

github.com/advisories/GHSA-jh67-hwqw-m5r7
github.com/openziti/zrok/security/advisories/GHSA-jh67-hwqw-m5r7
nvd.nist.gov/vuln/detail/CVE-2026-45568

Code Behaviors & Features

Detect and mitigate CVE-2026-45568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →