GHSA-c656-jcx2-7pqj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c656-jcx2-7pqj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-c656-jcx2-7pqj/GHSA-c656-jcx2-7pqj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c656-jcx2-7pqj
- Aliases
-
- CVE-2026-45576
- Published
- 2026-05-19T15:38:56Z
- Modified
- 2026-05-19T15:47:20.430267023Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- zrok copy writes attacker-controlled WebDAV paths outside the destination root
- Details
-
Summary
Alice runs
zrok2 copyfrom a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAVhrefsuch as/../outside.txt. The sync pipeline stores that path in the source inventory and passes it toFilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.Impact
Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.
- Database specific
{ "github_reviewed_at": "2026-05-19T15:38:56Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "nvd_published_at": null, "severity": "HIGH" }- References
Affected packages
Go / github.com/openziti/zrok/v2
Package
- Name
- github.com/openziti/zrok/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openziti/zrok/v2
Go / github.com/openziti/zrok
Package
- Name
- github.com/openziti/zrok
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openziti/zrok