CVE-2026-28798
Received Received - Intake

Unauthenticated SSRF in ZimaOS Proxy Endpoint Exposes Local Services

Vulnerability report for CVE-2026-28798, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-03

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-03
Last Modified
2026-04-13
Generated
2026-07-06
AI Q&A
2026-04-03
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zimaspace zimaos to 1.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ZimaOS versions prior to 1.5.3. It involves a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface. When the product is accessible from the Internet through a Cloudflare Tunnel, this endpoint can be abused to make requests to internal localhost services. This abuse allows unauthenticated access to internal-only endpoints and sensitive local services.

Impact Analysis

The vulnerability can lead to unauthorized access to sensitive internal services and endpoints without any authentication. This can result in a complete compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS score (9.0) with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade ZimaOS to version 1.5.3 or later, where the issue has been patched.

Additionally, avoid exposing the ZimaOS web interface proxy endpoint (/v1/sys/proxy) through externally reachable domains or Cloudflare Tunnels until the patch is applied.

Compliance Impact

The vulnerability in ZimaOS allows unauthenticated remote attackers to access sensitive internal endpoints and configuration data, which can lead to information disclosure and unauthorized administrative access.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access.

Specifically, the exposure of sensitive configurations, tokens, and administrative APIs could result in breaches of confidentiality, integrity, and availability of protected data, thereby violating regulatory requirements.

Detection Guidance

This vulnerability can be detected by checking if the ZimaOS web interface exposes the /v1/sys/proxy endpoint and if it is accessible externally, especially through a Cloudflare Tunnel. Since the vulnerability allows unauthenticated requests to internal localhost services via this proxy endpoint, testing access to this endpoint from outside the local network can help identify the issue.

A practical approach is to attempt sending requests to internal services through the /v1/sys/proxy endpoint to see if unauthorized access is possible.

  • Use curl or similar tools to send requests to the proxy endpoint, for example:
  • curl -X POST 'http://<zimaos-device>/v1/sys/proxy' -d '{"url":"http://localhost:80"}'
  • Replace <zimaos-device> with the IP or domain name of the device running ZimaOS.

If the request returns data from internal services (such as user management interfaces or configuration data), the vulnerability is present.

Additionally, monitoring network traffic for unexpected requests to internal localhost services via the /v1/sys/proxy endpoint can help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart