CVE-2026-28798
Published: 03 April 2026
Summary
CVE-2026-28798 is a critical-severity SSRF (CWE-918) vulnerability in Zimaspace Zimaos. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates inputs to the /v1/sys/proxy endpoint to prevent SSRF abuse targeting internal localhost services.
Enforces approved information flows to block unauthorized proxy requests from external sources to sensitive internal localhost endpoints.
Monitors and controls communications at external boundaries to mitigate exposure of the vulnerable web interface proxy via internet-reachable Cloudflare Tunnels.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in unauthenticated public web proxy endpoint (/v1/sys/proxy) directly enables exploitation of a public-facing application to reach internal localhost services.
NVD Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a…
more
Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.
Deeper analysisAI
CVE-2026-28798 affects ZimaOS, a fork of CasaOS designed as an operating system for Zima devices and x86-64 systems with UEFI support. Prior to version 1.5.3, the web interface exposes a proxy endpoint at /v1/sys/proxy that can be abused to forward requests to internal localhost services. This vulnerability, classified under CWE-918 (Server-Side Request Forgery), carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-based exploitation with changed scope.
Attackers can exploit this issue without authentication if the ZimaOS instance is reachable from the internet via a Cloudflare Tunnel configured with an externally accessible domain. By abusing the proxy endpoint, remote adversaries can make unauthorized requests to internal-only endpoints and sensitive local services on localhost, potentially leading to full compromise of confidentiality, integrity, and availability on the affected system. The high attack complexity stems from the need for specific Cloudflare Tunnel exposure.
The issue has been addressed in ZimaOS version 1.5.3, as detailed in the official release notes and security advisory. Security practitioners should upgrade to this patched version immediately. Relevant resources include the release page at https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3 and the GitHub advisory at https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m.
Details
- CWE(s)