CVE-2026-28442
Published: 05 March 2026
Summary
CVE-2026-28442 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Zimaspace Zimaos. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, preventing low-privileged users from deleting restricted internal OS files via manipulated API paths.
Requires validation of path parameters in API delete requests to ensure they do not target protected system locations, directly mitigating improper input validation.
Applies least privilege to restrict low-privileged users from performing delete operations on internal system files and directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a broken access control/path manipulation flaw in a network-accessible management API that allows an authenticated low-privileged user to delete arbitrary system files. This directly enables exploitation of the public-facing application (T1190), abuse of the vulnerability for privilege escalation/impact (T1068), and the subsequent destruction or unauthorized deletion of files (T1485, T1070.004).
NVD Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the…
more
API, these restrictions can be bypassed. By altering the path parameter in the delete request, internal OS files and directories can be removed successfully. The backend processes these manipulated requests without validating whether the targeted path belongs to restricted system locations. This demonstrates improper input validation and broken access control on sensitive filesystem operations. No known public patch is available.
Deeper analysisAI
CVE-2026-28442 is a high-severity vulnerability (CVSS 8.5) affecting ZimaOS version 1.5.2-beta3, a fork of CasaOS designed as an operating system for Zima devices and x86-64 systems with UEFI. The issue stems from improper input validation and broken access control (CWE-73) in the backend API handling filesystem delete operations. While the application interface restricts users from deleting internal system files or folders, these protections are bypassed when directly interacting with the API. Attackers can manipulate the path parameter in a delete request to target and remove restricted internal OS files and directories, as the backend fails to validate whether the path belongs to protected system locations.
Exploitation requires network access, low privileges (PR:L), and high attack complexity (AC:H), with no user interaction needed (UI:N) and a changed scope (S:C), enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A low-privileged authenticated user can send a crafted API delete request with an altered path to permanently delete critical system files, potentially leading to denial of service, data loss, or full system compromise depending on the targeted files.
The primary advisory, published via GitHub Security Advisory GHSA-q5hp-59wm-9xq3, details the vulnerability but notes no known public patch is available as of the CVE publication on 2026-03-05. Security practitioners should monitor the ZimaOS repository for updates, restrict API access to trusted low-privilege users, and implement network-level controls to limit exposure until a fix is released.
Details
- CWE(s)