Primary

Context

OpenZiti Zrok Global Frontend Deletion Vulnerability in Unaccess Handler

Vulnerability

A logical error in the ownership verification of the unaccess handler in OpenZiti Zrok prior to version 2.0.1 allows non-admin users to delete global frontend records. When a frontend record's environment_id is NULL, indicating it was created by an admin, the ownership check is bypassed. This flaw enables a non-admin user with knowledge of a global frontend token to delete the global frontend via the DELETE /api/v2/unaccess endpoint, disrupting all public shares routed through that frontend.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of global frontend records, which disrupts all public shares routed through the deleted frontend, causing a platform-wide availability impact.

Remediation

Users can upgrade to OpenZiti Zrok version 2.0.1 or later to address this vulnerability.

Added: Apr 17, 2026, 10:34 PM

Updated: Apr 17, 2026, 10:34 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.3

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

4.3

remediation

0.0

relevance

6.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenZiti Zrok Global Frontend Deletion Vulnerability in Unaccess Handler

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating