{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28798", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.245Z", "datePublished": "2026-04-03T20:00:48.045Z", "dateUpdated": "2026-04-06T15:42:48.777Z"}, "containers": {"cna": {"title": "Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m"}, {"name": "https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3"}], "affected": [{"vendor": "IceWhaleTech", "product": "ZimaOS", "versions": [{"version": "< 1.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:00:48.045Z"}, "descriptions": [{"lang": "en", "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3."}], "source": {"advisory": "GHSA-vqqj-f979-8c8m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:40:06.830577Z", "id": "CVE-2026-28798", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:42:48.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28798", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T15:40:06.830577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:40:12.501Z"}}], "cna": {"title": "Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS", "source": {"advisory": "GHSA-vqqj-f979-8c8m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "IceWhaleTech", "product": "ZimaOS", "versions": [{"status": "affected", "version": "< 1.5.3"}]}], "references": [{"url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m", "name": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3", "name": "https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T20:00:48.045Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28798", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:42:48.777Z", "dateReserved": "2026-03-03T14:25:19.245Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T20:00:48.045Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E7A923E-CF1A-4555-9DC8-887A97BDE523", "versionEndExcluding": "1.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3."}], "id": "CVE-2026-28798", "lastModified": "2026-04-13T18:27:54.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T20:16:02.433", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/IceWhaleTech/ZimaOS/releases/tag/1.5.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-vqqj-f979-8c8m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ZimaOS", "source": "cna", "vendor": "IceWhaleTech"}, "product": "zimaos", "vendor": "icewhaletech"}], "analysis": {"en": {"generated_at": "2026-04-13T19:52:05.189063+00:00", "value": {"mitigation_remediation": ["Apply the latest update, ZimaOS\u202f1.5.3, to remove the vulnerable proxy endpoint."], "summary": {"action": "Patch Now", "impact": "Unauthenticated internal service access on local services via proxy"}, "threat_synthesis": {"affected_systems": "All deployments of IceWhaleTech\u2019s ZimaOS before release 1.5.3 are vulnerable. The proxy endpoint was present across all builds prior to that version. Updating to 1.5.3 or later removes the vulnerable functionality.", "description_and_impact": "ZimaOS, a fork of CasaOS, exposed a web\u2011interface endpoint at /v1/sys/proxy that, prior to version\u202f1.5.3, forwarded requests received through an externally reachable Cloudflare Tunnel to services listening on localhost. An attacker could send crafted traffic to this endpoint and reach any internal\u2011only service without authentication, potentially exposing sensitive data or enabling privileged operations. The weakness corresponds to CWE\u2011918, reflecting tainted input used to build a network request.", "risk_and_exploitability": "The base CVSS score of 9.1 indicates a critical severity, and an EPSS score below 1\u202f% suggests current exploitation activity is low. The vulnerability does not appear in known\u2011exploited vulnerability lists, but the presence of a publicly exposed HTTP endpoint and the ability to use a Cloudflare Tunnel significantly lower the barrier for exploitation. An attacker with control over a domain that can point to the tunnel could construct requests targeting the /v1/sys/proxy endpoint, achieving internal access without privileged credentials."}}}}, "created": "2026-04-06T21:23:01.391045+00:00", "updated": "2026-04-14T16:41:49.651154+00:00", "vendors": ["icewhaletech", "icewhaletech$PRODUCT$zimaos"]}