CVE-2026-28286

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:zimaspace:zimaos:1.5.2:beta3:*:*:*:*:*:*

History

05 Mar 2026, 15:16

Type	Values Removed	Values Added
First Time		Zimaspace Zimaspace zimaos
References	~~() https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g -~~	() https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:o:zimaspace:zimaos:1.5.2:beta3::::::

02 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-02 17:16

Updated : 2026-03-05 15:16

NVD link : CVE-2026-28286

Mitre link : CVE-2026-28286

CVE.ORG link : CVE-2026-28286

JSON object : View

Products Affected

zimaspace

zimaos

CWE

CWE-73

External Control of File Name or Path

{"id": "CVE-2026-28286", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-02T17:16:33.610", "references": [{"url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-73"}]}], "descriptions": [{"lang": "en", "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available."}], "lastModified": "2026-03-05T15:16:02.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zimaspace:zimaos:1.5.2:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DB5C60C-7888-4BE5-9FB2-AD34BFB45CAE"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}