CVE-2026-45576
zrok copy writes attacker-controlled WebDAV paths outside the destination root
Description
## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.
How to fix CVE-2026-45576
To remediate CVE-2026-45576, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.0.3 or later
Is CVE-2026-45576 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-45576.
Affected packages (2)
- >= 0.4.23, <= 1.1.11
- from 0, < 2.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N |