Please refer to the openziti-security repository for details of the security policies and processes for this repository.
Security: openziti/zrok
Security
SECURITY.md
-
WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/writeGHSA-74m3-9qvm-rp9h published
Apr 21, 2026 by mikegorman-nfHigh -
Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error renderingGHSA-4fxq-2x3x-6xqx published
Apr 16, 2026 by mikegorman-nfModerate -
Unauthenticated DoS via unbounded memory allocation in striped session cookie parsingGHSA-cpf9-ph2j-ccr9 published
Apr 16, 2026 by mikegorman-nfHigh -
Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend recordsGHSA-3jpj-v3xr-5h6g published
Apr 16, 2026 by mikegorman-nfModerate
Learn more about advisories related to openziti/zrok in the GitHub Advisory Database