CVE-2026-40302 Overview
CVE-2026-40302 is a Cross-Site Scripting (XSS) vulnerability in zrok, software used for sharing web services, files, and network resources. The vulnerability exists in versions prior to 2.0.1 due to the proxyUi template engine using Go's text/template package instead of the safer html/template package. This design flaw allows attacker-controlled input to be rendered unescaped into HTML output, enabling arbitrary JavaScript execution.
Critical Impact
An attacker can execute arbitrary JavaScript in the context of the OAuth server's origin by delivering a crafted login URL to victims, potentially leading to session hijacking, credential theft, or other malicious actions after the victim completes the GitHub OAuth flow.
Affected Products
- Netfoundry zrok versions prior to 2.0.1
Discovery Timeline
- 2026-04-17 - CVE CVE-2026-40302 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40302
Vulnerability Analysis
This vulnerability stems from a fundamental template security misconfiguration in zrok's proxy component. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter directly into an error message when time.ParseDuration fails to parse the input. Because the application uses Go's text/template package—which does not perform HTML escaping—instead of the security-aware html/template package, the error message containing the malicious payload is rendered unescaped into the HTML response.
The attack requires user interaction: a victim must click on a crafted login URL and complete the GitHub OAuth authentication flow. Upon callback completion, the injected JavaScript executes within the OAuth server's origin context, giving the attacker access to sensitive information or the ability to perform actions on behalf of the authenticated user.
Root Cause
The root cause is the use of Go's text/template package for rendering HTML content in the proxyUi template engine. Unlike html/template, which automatically escapes dangerous characters to prevent XSS attacks, text/template outputs content verbatim without any sanitization. When user-controlled input (the refreshInterval query parameter) is embedded into error messages and rendered through this template, it creates a reflected XSS vulnerability.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious login URL containing JavaScript payload in the refreshInterval query parameter. When a victim clicks this URL and authenticates via GitHub OAuth, the callback handler attempts to parse the refreshInterval value using time.ParseDuration. The parsing fails due to the malicious input, and the error message—containing the attacker's JavaScript—is rendered unescaped into the HTML response. The browser then executes the injected script in the OAuth server's security context.
The vulnerability mechanism works as follows: the attacker embeds malicious JavaScript within the refreshInterval query parameter. When the OAuth callback processes this parameter and encounters a parsing error, it includes the raw parameter value in an error message. This error message is rendered through the vulnerable text/template engine without HTML encoding, allowing the JavaScript to execute when the browser renders the page.
For detailed technical information, see the GitHub Security Advisory GHSA-4fxq-2x3x-6xqx.
Detection Methods for CVE-2026-40302
Indicators of Compromise
- Unusual OAuth callback URLs containing script tags or JavaScript event handlers in the refreshInterval parameter
- Web server logs showing malformed refreshInterval values with HTML/JavaScript content
- Reports of unexpected JavaScript behavior on OAuth callback pages
Detection Strategies
- Monitor web application logs for OAuth callback requests with suspicious refreshInterval parameter values containing <script>, javascript:, or HTML event handlers
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Review application error logs for time.ParseDuration failures with unusual input patterns
Monitoring Recommendations
- Enable detailed logging for OAuth callback handlers and monitor for anomalous parameter values
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in query parameters
- Monitor for user reports of unexpected pop-ups or behavior after OAuth authentication flows
How to Mitigate CVE-2026-40302
Immediate Actions Required
- Upgrade zrok to version 2.0.1 or later immediately
- Audit OAuth callback URLs shared within your organization for potential malicious modifications
- Implement Content Security Policy (CSP) headers as a defense-in-depth measure while patching is underway
- Review access logs for signs of exploitation attempts targeting the OAuth callback endpoints
Patch Information
NetFoundry has released version 2.0.1 of zrok which addresses this vulnerability by switching from text/template to html/template for HTML rendering, ensuring proper escaping of user-controlled input. The patch is available via the GitHub zrok v2.0.1 Release.
Workarounds
- Deploy a reverse proxy or WAF in front of zrok instances to filter XSS payloads in query parameters
- Implement strict Content Security Policy headers to prevent inline script execution
- If GitHub OAuth is not required, consider disabling or restricting access to OAuth callback endpoints until patching is possible
# Example: Update zrok to patched version
# Download and install zrok v2.0.1 or later
curl -L https://github.com/openziti/zrok/releases/download/v2.0.1/zrok_2.0.1_linux_amd64.tar.gz -o zrok.tar.gz
tar -xzf zrok.tar.gz
sudo mv zrok /usr/local/bin/
zrok version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
