# [CRIT] [GHSA / CRITICAL] CVE-2026-45568: rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-jh67-hwqw-m5r7 ## Threat Profile rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths ## Summary Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns the server-side response to Bob. ## Details The Python SDK proxy route accepts every path under the share: ```python @app.route('/', defau… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-45568` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1090** — Proxy ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### zrok ProxyShare SSRF — request path begins with absolute URL (CVE-2026-45568) `UC_260_1` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as urls values(Web.http_method) as methods values(Web.status) as statuses values(Web.user_agent) as ua from datamodel=Web.Web where Web.dest_port IN (80,443,8080,8443) (Web.url="/http://*" OR Web.url="/https://*" OR Web.url="//http*" OR Web.uri_path="/http://*" OR Web.uri_path="/https://*" OR Web.uri_query="*http://127.0.0.1*" OR Web.uri_query="*http://169.254.169.254*" OR Web.uri_query="*http://metadata*") by Web.src Web.dest Web.site Web.user | `drop_dm_object_name(Web)` | where match(url, "(?i)^/https?:/") OR match(uri_path, "(?i)^/https?:/") | sort - lastTime ``` **Defender KQL:** ```kql // Defender Advanced Hunting has no native web-server log table; this detection lives in IIS / AppService / WAF logs and is expressed on Sentinel side. // Closest Defender pivot: any process on a zrok-hosting endpoint making an outbound connection to a link-local / loopback metadata IP shortly after receiving inbound traffic on the share. let MetadataIPs = dynamic(["127.0.0.1","169.254.169.254","169.254.170.2","fd00:ec2::254","100.100.100.200"]); DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("zrok.exe","zrok","python.exe","python3","python","pythonw.exe") or InitiatingProcessCommandLine has_any ("zrok share","ProxyShare","zrok.proxy","urllib.parse.urljoin") | where RemoteIP in (MetadataIPs) or RemoteIP startswith "169.254." | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessAccountName, ReportId | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-45568` ## Why this matters Severity classified as **CRIT** based on: CVE present, 2 use case(s) fired, 2 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.