What is GHSA-c656-jcx2-7pqj?

GHSA-c656-jcx2-7pqj is a security advisory published by GitHub Security Advisories with High severity. zrok copy writes attacker-controlled WebDAV paths outside the destination root

Which CVE IDs does GHSA-c656-jcx2-7pqj cover?

GHSA-c656-jcx2-7pqj covers the following CVE IDs: CVE-2026-45576. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-c656-jcx2-7pqj?

GHSA-c656-jcx2-7pqj affects 2 products, including: go/github.com/openziti/zrok/v2:\u003c 2.0.3; go/github.com/openziti/zrok:\u003e= 0.4.23, \u003c= 1.1.11.

GHSA-c656-jcx2-7pqjHigh

zrok copy writes attacker-controlled WebDAV paths outside the destination root

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45576 →

📋 Description

## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.

🎯 Affected products2

go/github.com/openziti/zrok/v2:< 2.0.3
go/github.com/openziti/zrok:>= 0.4.23, <= 1.1.11

🔗 References (2)

https://github.com/openziti/zrok/security/advisories/GHSA-c656-jcx2-7pqj
https://github.com/advisories/GHSA-c656-jcx2-7pqj