CVE-2026-42275

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

**Summary** The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. - Attack Vector: Network — exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL. - Attack Complexity: High — a precondition outside the attacker's direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV). - Privileges Required: None — zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default. - User Interaction: None — once the symlink precondition is met, exploitation requires no user interaction. - Scope: Changed — the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem. - Confidentiality Impact: High — arbitrary files readable by the zrok process can be retrieved. - Integrity Impact: High — the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys). - Availability Impact: None — no direct availability impact. Affected Components - drives/davServer/file.go — Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151) - endpoints/drive/backend.go — NewBackend (line 51–52)

**Summary** The zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. - Attack Vector: Network — exploitation is performed entirely over the WebDAV endpoint; the attacker issues HTTP requests to the public zrok share URL. - Attack Complexity: High — a precondition outside the attacker's direct control must hold: a symlink pointing outside DriveRoot must already exist within it (created locally, not via WebDAV). - Privileges Required: None — zrok share public --backend-mode drive exposes the WebDAV endpoint with no authentication by default. - User Interaction: None — once the symlink precondition is met, exploitation requires no user interaction. - Scope: Changed — the vulnerability allows an attacker to escape the WebDAV root (the security boundary) and access the broader host filesystem. - Confidentiality Impact: High — arbitrary files readable by the zrok process can be retrieved. - Integrity Impact: High — the WebDAV PUT handler opens files with O_RDWR|O_CREATE|O_TRUNC, meaning symlink targets outside DriveRoot can be overwritten (e.g. ~/.ssh/authorized_keys). - Availability Impact: None — no direct availability impact. Affected Components - drives/davServer/file.go — Dir.OpenFile (line 140), Dir.Stat (line 176), Dir.Mkdir (line 133), Dir.RemoveAll (line 151) - endpoints/drive/backend.go — NewBackend (line 51–52)