CVE-2026-28286
Published: 02 March 2026
Summary
CVE-2026-28286 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Zimaspace Zimaos. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the API's failure to validate target paths in crafted requests, preventing unauthorized file creation in sensitive directories like /etc or /usr.
Enforces logical access controls to system resources, mitigating the bypass of frontend restrictions by requiring the API to validate and restrict writes to critical paths.
Limits low-privileged users' access via the API to only necessary privileges, reducing the impact of path validation bypasses on sensitive system directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path validation bypass enables unauthorized file/directory creation in /etc and /usr, directly facilitating Linux persistence mechanisms (systemd services, cron, rc scripts, local accounts) and privilege escalation via T1068; exploitation occurs through the public-facing API (T1190).
NVD Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However,…
more
when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
Deeper analysisAI
CVE-2026-28286 is a path validation vulnerability in ZimaOS version 1.5.2-beta3, a fork of CasaOS designed as an operating system for Zima devices and x86-64 systems with UEFI. The frontend UI enforces restrictions to prevent users from creating files or folders in internal OS paths, but the backend API lacks proper validation of target paths. This allows attackers to bypass restrictions by sending crafted requests that target sensitive system directories such as /etc or /usr, enabling unauthorized file or directory creation in locations inaccessible to normal users. The vulnerability is rated 8.5 on the CVSS 3.1 scale (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path).
A low-privileged authenticated user (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving scope change (S:C) for high confidentiality, integrity, and availability impacts (C:I:A:H). By crafting API requests to specify restricted paths, the attacker can write files or create directories in critical system areas, potentially leading to privilege escalation, persistence, or full system compromise depending on the content written.
The GitHub Security Advisory at https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g details the issue, confirming the API bypass in version 1.5.2-beta3. No patch is publicly available, so practitioners should restrict API access, monitor for anomalous file creations in sensitive directories, and consider isolating ZimaOS instances until a fix is released.
Details
- CWE(s)