External risk intelligence

zrok Server-Side Request Forgery via Absolute URL Proxying

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45568

zrok is software specifically designed to share web services and network resources. As a proxy/sharing tool intended to make internal services reachable, its primary deployment role involves acting as a public-facing or externally accessible gateway or proxy service, making it highly probable that such components are exposed to the internet.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a vulnerability in zrok, a tool used for sharing web services and network resources. The issue could allow an attacker to redirect requests to unintended external locations, potentially exposing sensitive information or systems. Confirming the relevance and exposure of zrok within your environment is the primary concern.

  • Allows external redirection of shared resources.
  • Could expose internal systems via shared services.
  • Confirm zrok usage and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a zrok service. This request would manipulate the target URL, causing the service to fetch and return content from an attacker-controlled location. The vulnerability lies in how zrok processes shared service requests, allowing an attacker to redirect the service to an arbitrary external URL.

  • No authentication or network access needed.
  • Malicious URL in request path.
  • Server-side response from attacker URL.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to redirect zrok's proxy route to an arbitrary URL. When the proxy is configured to share a web service, this could result in the service's responses being sourced from an attacker-controlled location instead of the intended target.

  • Potentially exposes configured target host.
  • Requests can be made to attacker-chosen URLs.
  • May impact service availability and integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

The zrok software, used for sharing web services and resources, presents a critical vulnerability that could allow an attacker to direct requests to unauthorized URLs. Responsibility for addressing this issue likely falls to teams managing the zrok deployment, potentially including application owners, platform engineers, or security teams, depending on the specific infrastructure. The first crucial step is to identify all zrok instances, assess their exposure and business criticality, and confirm the accountable owner before planning remediation.

  • Application or platform teams own remediation.
  • Verify zrok instances and external reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is zrok and how is it typically used?

zrok is an open-source software platform used to share web services, files, and other network resources securely. It functions as a bridge that allows users to make local or private services accessible over the internet or through private networks without complex firewall configurations, often acting as a proxy gateway for these shared resources.

What does CVE-2026-45568 mean?

This CVE identifies a Server-Side Request Forgery (SSRF) vulnerability, classified as CWE-22. In plain English, the software incorrectly handles specific URL inputs. This flaw allows an attacker to manipulate the proxy route so the server fetches data from an arbitrary, attacker-selected website instead of the intended destination.

How does an attacker trigger this vulnerability?

An attacker triggers the bug by sending a specially crafted HTTP request containing an absolute URL in the path. When the zrok Python SDK processes this, it causes the internal proxy to ignore the intended target host and follow the attacker's path instead. The vulnerability does not require authentication or prior access to the network; it only requires reaching the proxy route.

Is my zrok instance at risk?

Halo Surface Signal indicates that because zrok is specifically designed to share web services, its primary role often involves acting as a public-facing gateway. If your zrok instance is configured to be internet-facing or accessible to untrusted users, it is highly likely that your environment falls within the scope of this vulnerability.

What should I do if I am running zrok?

First, identify all zrok instances currently deployed in your infrastructure to determine which are accessible over the network. Once you have a clear inventory, prioritize updating your software to version 2.0.3 or later, which contains the fix for this issue. Coordinate with your application or platform teams to ensure these updates are applied.

References