Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
Published: 2026-03-02
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Creation
Action: Assess Impact
AI Analysis

Impact

An API endpoint in ZimaOS does not properly validate the target file path. By crafting a request with a path such as /etc or /usr, the API can create files or directories in system locations that normal users should not have write access to. This flaw allows an attacker to add or modify system files through the API, potentially disrupting configuration or creating a foothold for further exploitation.

Affected Systems

The vulnerability exists in IceWhaleTech ZimaOS version 1.5.2‑beta3. No other versions or related products are listed in the advisory.

Risk and Exploitability

The defect is rated high with a CVSS score of 8.6, while the EPSS probability is below 1% and it is not listed in the CISA KEV catalog. Exploitation requires only that an attacker can reach the vulnerable API endpoint; the path‑validation bypass enables file operations regardless of the caller’s privileges. The risk is elevated for installations that expose the API to untrusted networks or users who can send bespoke requests.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the API endpoint that creates files or directories to privileged users or disable it for non‑admin accounts.
  • Add server‑side validation to reject any path that resolves outside the intended application directories; disallow absolute paths or sequences that traverse upward.
  • Limit connectivity to the ZimaOS API by placing it behind a firewall or in a segregated subnet, permitting access only from trusted hosts.

Generated by OpenCVE AI on April 17, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Zimaspace
Zimaspace zimaos
CPEs cpe:2.3:o:zimaspace:zimaos:1.5.2:beta3:*:*:*:*:*:*
Vendors & Products Zimaspace
Zimaspace zimaos

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Icewhaletech
Icewhaletech zimaos
Vendors & Products Icewhaletech
Icewhaletech zimaos

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
Title ZimaOS: Unauthorized Creation of Files/Folders in Restricted System Directories via API
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Icewhaletech Zimaos
Zimaspace Zimaos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-03T15:51:04.880Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28286

cve-icon Vulnrichment

Updated: 2026-03-03T15:50:58.842Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T17:16:33.610

Modified: 2026-03-05T15:16:02.397

Link: CVE-2026-28286

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:45:16Z

Weaknesses