Vulnerability Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netfoundry | Zrok | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/openziti/zrok/releases/tag/v2.0.1Release Notes
- https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6gVendor Advisory
FAQ
What is CVE-2026-40304?
CVE-2026-40304 is a vulnerability with a CVSS score of 5.3 (MEDIUM). zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a f...
How severe is CVE-2026-40304?
CVE-2026-40304 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40304?
Check the references section above for vendor advisories and patch information. Affected products include: Netfoundry Zrok.