CVE-2026-40304 Overview
CVE-2026-40304 is a broken access control flaw [CWE-284] in zrok, an open source platform for sharing web services, files, and network resources. The vulnerability resides in the unaccess handler at controller/unaccess.go, where an ownership guard short-circuits when a frontend record has environment_id = NULL. That NULL value marks admin-created global frontends, so the check bypasses ownership verification entirely. A non-admin user who knows a global frontend token can issue a DELETE /api/v2/unaccess request with any of their own environment IDs and permanently delete that global frontend. Removing the global frontend takes down every public share routed through it. Version 2.0.1 patches the issue.
Critical Impact
Any authenticated zrok user can permanently destroy admin-created global frontends, disrupting all public shares routed through them.
Affected Products
- Netfoundry zrok versions prior to 2.0.1
- Self-hosted zrok controllers exposing the /api/v2/unaccess endpoint
- zrok deployments that rely on global (admin-created) frontends to route public shares
Discovery Timeline
- 2026-04-17 - CVE-2026-40304 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40304
Vulnerability Analysis
zrok separates frontends into user-owned and global (admin-created) records. User-owned frontends carry an environment_id linking them to a specific user environment, while global frontends store environment_id as NULL. The unaccess handler in controller/unaccess.go is responsible for tearing down access bindings and, by extension, frontend records.
The handler enforces ownership by comparing the frontend's environment_id against an environment owned by the caller. When environment_id is NULL, the SQL or Go-level comparison evaluates to false, but the code path interprets that result as "no ownership conflict" rather than "unverified ownership." The deletion proceeds without authorization, allowing any authenticated user to remove an admin-managed resource.
Root Cause
The root cause is improper handling of NULL semantics inside the ownership predicate. The guard treats the absence of an owning environment as a passable condition instead of an explicit denial. Records reserved for administrative control should fail closed when standard ownership cannot be established.
Attack Vector
Exploitation requires network access to the zrok controller API and low-privilege authenticated credentials. The attacker must also know a target global frontend token, which is typically referenced in public share URLs and configuration. The attacker calls DELETE /api/v2/unaccess, supplies the global frontend token, and includes any environment ID they legitimately own. The handler validates the caller's environment, fails to validate frontend ownership against NULL, and removes the global frontend, breaking all dependent public shares. Refer to the GitHub Security Advisory GHSA-3jpj-v3xr-5h6g for the upstream technical write-up.
Detection Methods for CVE-2026-40304
Indicators of Compromise
- DELETE /api/v2/unaccess requests submitted by non-admin accounts that target frontend tokens belonging to global frontends.
- Sudden disappearance of admin-created global frontend records in the zrok controller database with no corresponding administrative action.
- Mass failures across public shares that previously routed through a shared global frontend.
Detection Strategies
- Audit controller logs for unaccess calls and correlate the requesting user's role against the deleted frontend's environment_id.
- Alert when a frontend whose environment_id is NULL is removed by any account other than a designated administrator.
- Compare a known-good inventory of global frontends to the live controller state on a recurring schedule.
Monitoring Recommendations
- Ship zrok controller API and database logs to a centralized log platform with retention sufficient for incident review.
- Track HTTP 200 responses on DELETE /api/v2/unaccess and pivot on user identity, source IP, and frontend token.
- Monitor share availability metrics and treat sharp drops as a trigger for frontend integrity checks.
How to Mitigate CVE-2026-40304
Immediate Actions Required
- Upgrade all zrok controllers to version 2.0.1 or later as published in the zrok v2.0.1 release.
- Rotate any global frontend tokens that may have been exposed in shared URLs, documentation, or chat history.
- Review controller audit logs for unauthorized unaccess activity since the affected versions were deployed.
Patch Information
Netfoundry resolved the flaw in zrok version 2.0.1. The fix updates the ownership guard in controller/unaccess.go so that frontend records with environment_id = NULL cannot be deleted through the standard unaccess path. Full details are available in the GitHub Security Advisory GHSA-3jpj-v3xr-5h6g.
Workarounds
- Restrict network access to the zrok controller API to trusted administrative networks until the upgrade is complete.
- Limit account creation on shared zrok deployments and review existing low-privilege accounts for legitimacy.
- Back up the controller database regularly so deleted global frontends can be restored quickly if abused.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
