Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-40304
5.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.
References
-
https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g x_refsource_CONFIRM
-
https://github.com/openziti/zrok/releases/tag/v2.0.1 x_refsource_MISC
Affected products
zrok
- ==< 2.0.1
Package maintainers
-
@bennyandresen Benjamin Andresen <bandresen@gmail.com>