CVE-2026-21891
Authentication Bypass in ZimaOS Login via Service Account Password Flaw
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icewhaletech | zimaos | to 1.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass authentication for critical system accounts, leading to unauthorized access with high confidentiality and integrity impact. Such unauthorized access can result in exposure or alteration of sensitive data, which would violate common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal and sensitive information. Therefore, the vulnerability negatively affects compliance by undermining the security controls mandated by these regulations. [1]
Can you explain this vulnerability to me?
This vulnerability in ZimaOS (versions up to 1.5.0) allows an attacker to bypass authentication by exploiting improper password validation for certain system service usernames. When a username matches one of several predefined system accounts (e.g., root, daemon, www-data), the application skips or misinterprets the password check, allowing anyone to log in with any password for these accounts. This means attackers can gain access without knowing the correct password. [1]
How can this vulnerability impact me? :
The vulnerability can have severe impacts including unauthorized access to the system with high confidentiality and integrity risks. Attackers can gain unrestricted access using common system usernames without valid passwords, potentially leading to data breaches, manipulation of system data, and disruption of services. The availability impact is moderate but confidentiality and integrity impacts are high. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate to the vulnerable endpoint `/v1/users/login` using one of the affected system usernames with any arbitrary password. For example, you can use the following curl command to test if the authentication bypass exists: curl -X POST http://<IP>/v1/users/login -d '{"username":"www-data","password":" "}' -H "Content-Type: application/json". If the response indicates successful authentication despite the invalid password, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves ensuring that all authentication requests, including those for system usernames, undergo proper password verification. This means removing any special-case logic that exempts system usernames from password checks and implementing robust password validation by cryptographically hashing and comparing provided passwords against stored credentials. Since no patched versions are currently available, consider restricting access to the vulnerable login endpoint or implementing additional network-level protections until a fix is released. [1]