DNA View

CVE-2026-40304

Medium

Low Medium High Critical

5.3

CVSS Score

Published: Apr 17, 2026

Last Modified: Apr 17, 2026

CWE: CWE-284

Vulnerability Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership verification. A non-admin user who knows a global frontend token can call DELETE /api/v2/unaccess with any of their own environment IDs and permanently delete the global frontend, taking down all public shares routed through it. Version 2.0.1 patches the issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

5.3

out of 10.0

Medium

Weakness Type (CWE)

CWE-284

Improper Access Control

Description: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Typical Severity: Medium
Abstraction Level: Pillar

View CWE Details on MITRE

Key Information

Published Date: April 17, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages