What is CVE-2026-42275?

CVE-2026-42275 is a high-severity vulnerability in Netfoundry Zrok, classified under Path Traversal. CVSS score: 8.7/10. Published 2026-05-08.

How severe is CVE-2026-42275?

High severity. CVSS v3 base score is 8.7 out of 10.

Path Traversal in Netfoundry Zrok

CVE-2026-42275

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. W…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (17.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.7 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N.

Affected products

Netfoundry Zrok
Openziti Zrok — versions < 2.0.2

Weakness classification (CWE)

References

https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h (x_refsource_CONFIRM, Vendor Advisory)
https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e (Patch, x_refsource_MISC)
https://github.com/openziti/zrok/releases/tag/v2.0.2 (Product, x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-42275?: CVE-2026-42275 is a high-severity vulnerability in Netfoundry Zrok, classified under Path Traversal. CVSS score: 8.7/10. Published 2026-05-08.
How severe is CVE-2026-42275?: High severity. CVSS v3 base score is 8.7 out of 10.