Browse all 6 CVE security advisories affecting openziti. AI-powered Chinese analysis, POCs, and references for each vulnerability.
OpenZiti provides zero-trust network access and secure service connectivity, enabling encrypted micro-segmentation without public exposure. Historically, its vulnerabilities have included remote code execution, cross-site scripting, and privilege escalation, often stemming from input validation flaws and misconfigurations. While no major public incidents have been widely documented, the five recorded CVEs highlight potential risks in API endpoints and authentication mechanisms. The platform's default zero-trust architecture inherently reduces attack surfaces, though proper implementation remains critical to prevent misconfigurations that could expose services. Security teams should prioritize regular updates and strict access controls when deploying OpenZiti in production environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-42275 | zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write — zrokCWE-61 | 8.7 | High | 2026-05-08 |
| CVE-2026-40304 | zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records — zrokCWE-284 | 5.3 | Medium | 2026-04-17 |
| CVE-2026-40303 | zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing — zrokCWE-400 | 7.5 | High | 2026-04-17 |
| CVE-2026-40302 | zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering — zrokCWE-79 | 6.1 | Medium | 2026-04-17 |
This page lists every published CVE security advisory associated with openziti. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.