CVE-2026-28286
Received Received - Intake
Insecure Direct Object Reference in ZimaOS API Allows Unauthorized File Creation

Publication date: 2026-03-02

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28286
EUVD
EUVD-2026-9206
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zimaspace zimaos 1.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28286 is a high-severity vulnerability in ZimaOS version 1.5.2-beta3 where the backend API allows unauthorized creation of files and folders in sensitive system directories such as /etc and /usr.

While the frontend/UI restricts users from creating files or folders in these critical OS paths, these restrictions can be bypassed by sending crafted requests directly to the API endpoints responsible for file and folder creation.

The root cause is that the API does not properly validate or canonicalize the path parameter, allowing attackers to specify paths outside approved directories and perform unauthorized write operations.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution, privilege escalation, and full server takeover.

Attackers can create or modify files in critical system directories, compromising system integrity and security.

  • Remote Code Execution (RCE)
  • Privilege Escalation
  • Service Disruption
  • Full Server Takeover
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by intercepting and analyzing API requests related to file or folder creation, specifically targeting endpoints like POST /v2_1/files/folder and POST /v2_1/files/file.'}, {'type': 'paragraph', 'content': 'Using tools such as Burp Suite or browser developer tools, you can capture legitimate API requests and modify the path parameter to point to restricted system directories such as /etc/ or /usr/local/bin/. If the API processes these modified requests successfully, it indicates the presence of the vulnerability.'}, {'type': 'list_item', 'content': 'Intercept API requests with Burp Suite or similar proxy tools.'}, {'type': 'list_item', 'content': "Modify the 'path' parameter in POST requests to /v2_1/files/folder or /v2_1/files/file to point to sensitive directories like /etc or /usr."}, {'type': 'list_item', 'content': 'Send the modified request and observe if the API allows creation of files or folders in these restricted locations.'}, {'type': 'paragraph', 'content': 'The expected secure behavior is that the API should reject such requests with HTTP error codes like 403 Forbidden or 400 Bad Request.'}] [1]

Mitigation Strategies

Immediate mitigation steps include implementing strict server-side validation and canonicalization of file path parameters to ensure that file operations are restricted to approved directories only.

  • Restrict file and folder creation operations to a predefined base directory using techniques such as chroot or sandboxing.
  • Reject any API requests containing path traversal sequences or targeting sensitive system directories like /etc or /usr.
  • Apply strict allowlist-based directory access controls to prevent unauthorized write access.

Since no patched versions are currently available, these mitigations must be applied at the server or application configuration level to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart