CVE-2026-28286
Insecure Direct Object Reference in ZimaOS API Allows Unauthorized File Creation
Publication date: 2026-03-02
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimaspace | zimaos | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28286 is a high-severity vulnerability in ZimaOS version 1.5.2-beta3 where the backend API allows unauthorized creation of files and folders in sensitive system directories such as /etc and /usr.
While the frontend/UI restricts users from creating files or folders in these critical OS paths, these restrictions can be bypassed by sending crafted requests directly to the API endpoints responsible for file and folder creation.
The root cause is that the API does not properly validate or canonicalize the path parameter, allowing attackers to specify paths outside approved directories and perform unauthorized write operations.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution, privilege escalation, and full server takeover.
Attackers can create or modify files in critical system directories, compromising system integrity and security.
- Remote Code Execution (RCE)
- Privilege Escalation
- Service Disruption
- Full Server Takeover
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by intercepting and analyzing API requests related to file or folder creation, specifically targeting endpoints like POST /v2_1/files/folder and POST /v2_1/files/file.'}, {'type': 'paragraph', 'content': 'Using tools such as Burp Suite or browser developer tools, you can capture legitimate API requests and modify the path parameter to point to restricted system directories such as /etc/ or /usr/local/bin/. If the API processes these modified requests successfully, it indicates the presence of the vulnerability.'}, {'type': 'list_item', 'content': 'Intercept API requests with Burp Suite or similar proxy tools.'}, {'type': 'list_item', 'content': "Modify the 'path' parameter in POST requests to /v2_1/files/folder or /v2_1/files/file to point to sensitive directories like /etc or /usr."}, {'type': 'list_item', 'content': 'Send the modified request and observe if the API allows creation of files or folders in these restricted locations.'}, {'type': 'paragraph', 'content': 'The expected secure behavior is that the API should reject such requests with HTTP error codes like 403 Forbidden or 400 Bad Request.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict server-side validation and canonicalization of file path parameters to ensure that file operations are restricted to approved directories only.
- Restrict file and folder creation operations to a predefined base directory using techniques such as chroot or sandboxing.
- Reject any API requests containing path traversal sequences or targeting sensitive system directories like /etc or /usr.
- Apply strict allowlist-based directory access controls to prevent unauthorized write access.
Since no patched versions are currently available, these mitigations must be applied at the server or application configuration level to reduce risk.