5.3
CVE-2026-40304
- EPSS 0.29%
- Veröffentlicht 17.04.2026 21:04:23
- Zuletzt bearbeitet 23.04.2026 18:33:27
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginzrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Netfoundry ≫ Zrok Version < 2.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.201 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/openziti/zrok/releases/tag/v2.0.1
https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g