CVE-2026-28442
Broken Access Control in ZimaOS API Allows System File Deletion
Publication date: 2026-03-05
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimaspace | zimaos | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to permanent deletion of critical operating system and configuration files, causing system instability and denial of service (DoS).'}, {'type': 'paragraph', 'content': "It may also allow an attacker to take over the system or force recovery procedures, thereby compromising the server's integrity, availability, and confidentiality."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-28442 is a vulnerability in ZimaOS version 1.5.2-beta3 where users are prevented from deleting internal system files via the application interface, but this restriction can be bypassed by directly interacting with the backend API.
By modifying the path parameter in delete requests sent to the API, an attacker can delete critical system files and directories because the backend does not properly validate or restrict these paths.
This issue arises from improper input validation and broken access control on sensitive filesystem operations, allowing deletion of important OS files such as /etc/passwd or /usr/local/bin/critical-service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and analyzing delete requests sent to the backend API, specifically requests like DELETE /v2_1/files/file or DELETE /v2_1/files/folder.
Using proxy tools such as Burp Suite or browser Developer Tools, you can capture these requests and check if the path parameter is being manipulated to point to restricted system directories (e.g., /etc/passwd, /usr/local/bin/critical-service, /etc/ssh/).
If the backend processes such requests without rejecting them with HTTP 403 Forbidden or 400 Bad Request status codes, it indicates the presence of the vulnerability.
- Use Burp Suite or similar proxy to intercept DELETE requests to the API.
- Modify the path parameter in intercepted requests to point to sensitive system files or directories.
- Send the modified request and observe the response status code.
- Check if the targeted system files or directories are deleted or if the request is rejected.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing strict server-side validation on all delete operations to ensure that deletion requests cannot target system-critical directories.
Restrict deletions to predefined safe directories only, and implement canonicalization and path normalization checks to prevent path traversal or manipulation.
Reject any requests referencing system-critical directories with appropriate HTTP status codes such as 403 Forbidden or 400 Bad Request.
Apply filesystem sandboxing or chroot jail mechanisms to isolate the application and limit the impact of any unauthorized deletions.
Ensure backend access control is independent of frontend restrictions, as frontend controls can be bypassed.
Since no public patch is currently available, these mitigations are critical to reduce risk until an official fix is released.