Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.
Published: 2026-03-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted deletion of critical system files
Action: Monitor
AI Analysis

Impact

ZimaOS, a fork of CasaOS, used on x86-64 UEFI devices, contains an API endpoint that deletes files or directories. In version 1.5.2‑beta3 the web interface prevents removal of internal system files, but the API does not validate the origin of the path supplied. By modifying the path parameter, an attacker can instruct the backend to delete any file or directory on the filesystem, including protected system locations. This weakness is a classic example of improper input validation (CWE‑73) that results in the loss of essential files and the potential destruction of system functionality.

Affected Systems

The affected product is IceWhaleTech’s ZimaOS, version 1.5.2‑beta3. The operating system is a fork of CasaOS and is designed for Zima devices and general x86‑64 systems with UEFI firmware. No other versions or products were listed as affected.

Risk and Exploitability

The vulnerability scores a CVSS score of 8.6, indicating high severity, yet the EPSS score is reported as less than 1 %, suggesting a low current exploitation probability. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is the remote API interface; attackers who can reach the deletion endpoint and craft a path parameter can trigger deletion of arbitrary files. The description does not explicitly state authentication requirements, so it is inferred that the API may be vulnerable to unauthenticated or malicious use. Given the high severity and the lack of a public patch, this vulnerability represents a critical risk if the API is exposed to attackers.

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Require authentication and authorization checks for the delete API, ensuring only privileged users can remove files.
  • Enforce strict path validation in the backend; reject delete requests whose targets fall outside a predefined safe directory scope.
  • Apply OS‑level file permissions or access control lists (ACLs) to protect essential system directories from modification or deletion.
  • Monitor API logs for unauthorized delete attempts and alert on suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 09:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Zimaspace
Zimaspace zimaos
CPEs cpe:2.3:o:zimaspace:zimaos:1.5.2:beta3:*:*:*:*:*:*
Vendors & Products Zimaspace
Zimaspace zimaos

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Icewhaletech
Icewhaletech zimaos
Vendors & Products Icewhaletech
Icewhaletech zimaos

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.
Title ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Icewhaletech Zimaos
Zimaspace Zimaos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:32:31.628Z

Reserved: 2026-02-27T15:54:05.140Z

Link: CVE-2026-28442

cve-icon Vulnrichment

Updated: 2026-03-06T16:32:13.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:22.327

Modified: 2026-03-12T13:07:49.647

Link: CVE-2026-28442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses