CVE-2026-40304

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.1

Description A logical error exists in the ownership guard of the unaccess handler within the controller/unaccess.go file. When a frontend record has the environment id variable set to NULL, which identifies admin-created global frontends, the verification condition short-circuits to false. This allows the deletion process to proceed without ownership verification. A non-admin user possessing a global frontend token can use the 'DELETE /api/v2/unaccess' endpoint with any of their own environment IDs to permanently delete the global frontend, resulting in the disruption of all public shares routed through it.

Recommendations Update to version 2.0.1.