CVE-2026-42275

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.2

Description The zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but fails to prevent symlink following. If a symbolic link within the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files. On shares lacking OS-level permission restrictions, attackers can also write to or overwrite files anywhere on the host filesystem accessible to the zrok process. This occurs because the WebDAV PUT handler opens files with O RDWR|O CREATE|O TRUNC. The issue affects the Dir.OpenFile(), Dir.Stat(), Dir.Mkdir(), and Dir.RemoveAll() functions in drives/davServer/file.go, as well as NewBackend() in endpoints/drive/backend.go.

Recommendations Update to version 2.0.2.