{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openziti/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["zrok/v2","zrok"],"_cs_severities":["high"],"_cs_tags":["path-traversal","webdav","zrok"],"_cs_type":"advisory","_cs_vendors":["OpenZiti"],"content_html":"\u003cp\u003eA path traversal vulnerability has been identified in the \u003ccode\u003ezrok copy\u003c/code\u003e command, affecting versions prior to 2.0.3 and versions 0.4.23 through 1.1.11. The vulnerability, tracked as CVE-2026-45576, allows a malicious actor controlling a WebDAV or zrok drive to write files outside the intended destination root on a victim\u0026rsquo;s system. This is achieved by manipulating the DAV \u003ccode\u003ehref\u003c/code\u003e response to include path traversal sequences like \u003ccode\u003e/../\u003c/code\u003e which, when processed by the \u003ccode\u003eFilesystemTarget.WriteStream\u003c/code\u003e function, allows writing arbitrary files within the sharing user\u0026rsquo;s credentials. This poses a significant risk of sensitive information being overwritten.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eBob sets up a malicious WebDAV server or a zrok drive.\u003c/li\u003e\n\u003cli\u003eBob crafts a DAV \u003ccode\u003ehref\u003c/code\u003e response containing path traversal sequences, such as \u003ccode\u003e/../outside.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlice executes the \u003ccode\u003ezrok2 copy\u003c/code\u003e command, specifying Bob\u0026rsquo;s malicious WebDAV server or zrok drive as the source and a local directory as the destination.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ezrok2 copy\u003c/code\u003e process retrieves the directory listing from Bob\u0026rsquo;s server, including the crafted \u003ccode\u003ehref\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ezrok2 copy\u003c/code\u003e process stores the malicious path in the source inventory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFilesystemTarget.WriteStream\u003c/code\u003e function receives the malicious path from the source inventory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFilesystemTarget.WriteStream\u003c/code\u003e function joins the attacker-controlled path with the target root path.\u003c/li\u003e\n\u003cli\u003eThe file \u003ccode\u003eoutside.txt\u003c/code\u003e is created (or overwritten) outside Alice\u0026rsquo;s specified target directory, with Alice\u0026rsquo;s credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45576 allows a malicious user with access to a zrok share to traverse the directory tree arbitrarily on the system where the \u003ccode\u003ezrok copy\u003c/code\u003e command is executed. This can lead to the overwriting of sensitive information, potentially causing data loss, system instability, or privilege escalation if critical system files are targeted. The number of victims and the scope of impact depend on the privileges of the user running \u003ccode\u003ezrok copy\u003c/code\u003e and the contents of the files that are overwritten.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ezrok/v2\u003c/code\u003e version 2.0.3 or later to patch CVE-2026-45576.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ezrok\u003c/code\u003e versions between 0.4.23 and 1.1.11 (inclusive) to a patched version.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for unexpected write operations outside the intended target directory using a file integrity monitoring system, and deploy the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:39:49Z","date_published":"2026-05-19T15:39:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-zrok-path-traversal/","summary":"A path traversal vulnerability exists in zrok copy (CVE-2026-45576) where an attacker-controlled WebDAV or zrok drive can write files outside the destination root by manipulating the DAV `href` response.","title":"zrok 'copy' Path Traversal Vulnerability (CVE-2026-45576)","url":"https://feed.craftedsignal.io/briefs/2026-05-zrok-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenZiti","version":"https://jsonfeed.org/version/1.1"}