CVE-2026-28798

Published: Apr 3, 2026

Modified: Apr 6, 2026

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

Vendor	Product	Versions
IceWhaleTech	ZimaOS	affected `< 1.5.3`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m

x_refsource_CONFIRM

https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-28798

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References