Listen to this Post
The vulnerability exists in `controller/unaccess.go` within the `unaccessHandler.Handle` function (line 56). The ownership guard contains a logical error: when a frontend record has `environment_id = NULL` (the marker for admin-created global frontends), the condition short-circuits to false. This bypasses the ownership verification entirely, allowing the deletion to proceed without any authorization check. A non-admin user who has obtained a global frontend token (through out-of-band means like leaked server logs or social engineering) can send a `DELETE /api/v2/unaccess` request, providing any of their own environment IDs. The endpoint accepts the request and permanently deletes the global frontend record. This action removes the routing entry for all public shares associated with that global frontend, effectively taking them offline across the entire platform instance. The attack is performed over the network via a standard HTTP API call. The attack complexity is high because the attacker must first acquire a valid global frontend token, which is not exposed through any standard API endpoint to non-admin users. The privilege requirement is low, requiring only a valid user account with at least one registered environment. No user interaction is needed. The scope remains unchanged, affecting only the targeted server instance. There is no confidentiality or integrity impact, as no data is disclosed or improperly modified. However, the availability impact is high, as the deletion of a single global frontend can disrupt all public shares routed through it, causing a platform-wide denial of service.
dailycve form
Platform: OpenZiti
Version: >0.3.0,<2.0.1
Vulnerability : Broken ownership check
Severity: Moderate (CVSS5.3)
date: 2026-04-16
Prediction: 2026-05-01
What Undercode Say:
Analytics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Bash Commands & Codes:
Exploit: Delete a global frontend using a known token
curl -X DELETE "https://target-instance/api/v2/unaccess" \
-H "Authorization: Bearer <valid_user_token>" \
-d '{"environment_id": "<attacker_env_id>", "token": "<global_frontend_token>"}'
Check current version (vulnerable if < 2.0.1)
ziti controller version
Exploit:
- Obtain a global frontend token via out-of-band means (e.g., leaked logs, admin docs).
- Authenticate with a valid non-admin user account that has an environment ID.
- Send a `DELETE /api/v2/unaccess` request with the attacker’s environment ID and the stolen token.
4. The vulnerable ownership guard short-circuits, bypassing verification.
- The global frontend record is permanently deleted, taking down all public shares routed through it.
Protection from this CVE:
- Upgrade to OpenZiti version 2.0.1 or later, where the ownership guard has been fixed.
- Restrict access to the `/api/v2/unaccess` endpoint using a Web Application Firewall (WAF) to filter requests from non-admin users.
- Monitor logs for suspicious `DELETE` requests to the unaccess endpoint.
Impact:
- Platform-wide availability disruption: Deleting a single global frontend removes all public shares routed through it.
- Denial of service: All users relying on those public shares are unable to access them.
- No data loss or corruption: The vulnerability only affects availability, not confidentiality or integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

