CVE-2026-28798 - Vulnerability Details

- Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

Published: 2026-04-03

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ZimaOS, a fork of CasaOS, exposed a web‑interface endpoint at /v1/sys/proxy that, prior to version 1.5.3, forwarded requests received through an externally reachable Cloudflare Tunnel to services listening on localhost. An attacker could send crafted traffic to this endpoint and reach any internal‑only service without authentication, potentially exposing sensitive data or enabling privileged operations. The weakness corresponds to CWE‑918, reflecting tainted input used to build a network request.

Affected Systems

All deployments of IceWhaleTech’s ZimaOS before release 1.5.3 are vulnerable. The proxy endpoint was present across all builds prior to that version. Updating to 1.5.3 or later removes the vulnerable functionality.

Risk and Exploitability

The base CVSS score of 9.1 indicates a critical severity, and an EPSS score below 1 % suggests current exploitation activity is low. The vulnerability does not appear in known‑exploited vulnerability lists, but the presence of a publicly exposed HTTP endpoint and the ability to use a Cloudflare Tunnel significantly lower the barrier for exploitation. An attacker with control over a domain that can point to the tunnel could construct requests targeting the /v1/sys/proxy endpoint, achieving internal access without privileged credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

IceWhaleTech

ZimaOS

affected

Version	Status	Constraints
`< 1.5.3`	affected	—

Configuration 1 [-]

cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Icewhaletech

Zimaos

100%

Version	Status	Scheme	Platform
`[0,1.5.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest update, ZimaOS 1.5.3, to remove the vulnerable proxy endpoint.

Generated by OpenCVE AI on April 13, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3
https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m

History

Mon, 13 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zimaspace Zimaspace zimaos
CPEs		cpe:2.3:o:zimaspace:zimaos::::::::
Vendors & Products		Zimaspace Zimaspace zimaos

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Icewhaletech Icewhaletech zimaos
Vendors & Products		Icewhaletech Icewhaletech zimaos

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.
Title		Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS
Weaknesses		CWE-918
References		https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3 https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Icewhaletech Zimaos

Zimaspace Zimaos

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T20:00:48.045Z

Updated: 2026-04-06T15:42:48.777Z

Reserved: 2026-03-03T14:25:19.245Z

Link: CVE-2026-28798

Vulnrichment

Updated: 2026-04-06T15:40:12.501Z

NVD

Status : Analyzed

Published: 2026-04-03T20:16:02.433

Modified: 2026-04-13T18:27:54.580

Link: CVE-2026-28798

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:41:49Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object