{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40304", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.504Z", "datePublished": "2026-04-17T21:04:23.648Z", "dateUpdated": "2026-04-20T14:57:24.486Z"}, "containers": {"cna": {"title": "zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g"}, {"name": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}], "affected": [{"vendor": "openziti", "product": "zrok", "versions": [{"version": "< 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:04:23.648Z"}, "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue."}], "source": {"advisory": "GHSA-3jpj-v3xr-5h6g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:51:35.879686Z", "id": "CVE-2026-40304", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:57:24.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:51:35.879686Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:51:37.103Z"}}], "cna": {"title": "zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records", "source": {"advisory": "GHSA-3jpj-v3xr-5h6g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openziti", "product": "zrok", "versions": [{"status": "affected", "version": "< 2.0.1"}]}], "references": [{"url": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g", "name": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "name": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:04:23.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40304", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:57:24.486Z", "dateReserved": "2026-04-10T21:41:54.504Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:04:23.648Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netfoundry:zrok:*:*:*:*:*:*:*:*", "matchCriteriaId": "70C6F018-6D34-4A75-A49D-A795B0A5B056", "versionEndExcluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue."}], "id": "CVE-2026-40304", "lastModified": "2026-04-23T18:33:27.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:32.230", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openziti/zrok/security/advisories/GHSA-3jpj-v3xr-5h6g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zrok", "source": "cna", "vendor": "openziti"}, "product": "zrok", "vendor": "openziti"}], "analysis": {"en": {"generated_at": "2026-04-18T17:05:47.479678+00:00", "value": {"mitigation_remediation": ["Upgrade zrok to version 2.0.1 or newer to apply the fix.", "If an upgrade cannot be performed immediately, remove or revoke any global frontend tokens that are currently exposed in your environment to prevent unauthorized DELETE operations.", "Enforce strict API rate limiting and monitor DELETE requests to the /api/v2/unaccess endpoint for anomalous activity."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation and Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the openziti zrok service version prior to 2.0.1. Any deployment that exposes the DELETE /api/v2/unaccess endpoint for frontends created without an environment ID is impacted. Version 2.0.1 and later incorporate the fix, so only older builds are at risk. There are no other vendor or product listings for this issue.", "description_and_impact": "The logic error in controller/unaccess.go causes the ownership guard to fail when environment_id is NULL, i.e., for admin\u2011created global frontends. The condition short\u2011circuits to false, so the check is bypassed. A non\u2011admin user who knows the global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs, permanently deleting the global frontend. This removes the routing point that all public shares use, effectively denying service to all users relying on those shares. The flaw is a classic broken access\u2011control (CWE\u2011284) combined with an inverse\u2011logic error (CWE\u2011863).", "risk_and_exploitability": "With a CVSS score of 5.3 the bug falls in the medium severity range. No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog, so the current probability of exploitation is unknown but the presence of a documented remote API endpoint suggests that an attacker who obtains a global frontend token could perform the deletion with minimal effort. The attack vector is remote, via an HTTP DELETE request. The lack of an official workaround means patching is the only reliable mitigation."}}}}, "created": "2026-04-18T17:15:05.779052+00:00", "updated": "2026-04-20T14:59:32.727191+00:00", "vendors": ["openziti", "openziti$PRODUCT$zrok"]}