CVE-2026-28798
Unauthenticated SSRF in ZimaOS Proxy Endpoint Exposes Local Services
Publication date: 2026-04-03
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zimaspace | zimaos | to 1.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ZimaOS versions prior to 1.5.3. It involves a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface. When the product is accessible from the Internet through a Cloudflare Tunnel, this endpoint can be abused to make requests to internal localhost services. This abuse allows unauthenticated access to internal-only endpoints and sensitive local services.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive internal services and endpoints without any authentication. This can result in a complete compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS score (9.0) with impacts on confidentiality, integrity, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade ZimaOS to version 1.5.3 or later, where the issue has been patched.
Additionally, avoid exposing the ZimaOS web interface proxy endpoint (/v1/sys/proxy) through externally reachable domains or Cloudflare Tunnels until the patch is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in ZimaOS allows unauthenticated remote attackers to access sensitive internal endpoints and configuration data, which can lead to information disclosure and unauthorized administrative access.
Such unauthorized access and potential data exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access.
Specifically, the exposure of sensitive configurations, tokens, and administrative APIs could result in breaches of confidentiality, integrity, and availability of protected data, thereby violating regulatory requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ZimaOS web interface exposes the /v1/sys/proxy endpoint and if it is accessible externally, especially through a Cloudflare Tunnel. Since the vulnerability allows unauthenticated requests to internal localhost services via this proxy endpoint, testing access to this endpoint from outside the local network can help identify the issue.
A practical approach is to attempt sending requests to internal services through the /v1/sys/proxy endpoint to see if unauthorized access is possible.
- Use curl or similar tools to send requests to the proxy endpoint, for example:
- curl -X POST 'http://<zimaos-device>/v1/sys/proxy' -d '{"url":"http://localhost:80"}'
- Replace <zimaos-device> with the IP or domain name of the device running ZimaOS.
If the request returns data from internal services (such as user management interfaces or configuration data), the vulnerability is present.
Additionally, monitoring network traffic for unexpected requests to internal localhost services via the /v1/sys/proxy endpoint can help detect exploitation attempts.