CVE-2026-28798: CWE-918: Server-Side Request Forgery (SSRF) in IceWhaleTech ZimaOS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.
AI Analysis
Technical Summary
ZimaOS, an operating system for Zima devices and x86-64 systems with UEFI, has a Server-Side Request Forgery vulnerability (CWE-918) in its web interface proxy endpoint (/v1/sys/proxy) prior to version 1.5.3. When ZimaOS is reachable from the Internet through a Cloudflare Tunnel, this endpoint can be abused to send unauthorized requests to internal localhost services, exposing sensitive internal endpoints without authentication. This vulnerability has been addressed in ZimaOS version 1.5.3. The product is cloud-hosted, and remediation is managed by the vendor.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to access internal-only endpoints and sensitive local services on ZimaOS instances reachable via Cloudflare Tunnel. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 9.1 (critical). No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch addressing this vulnerability is available in ZimaOS version 1.5.3. Since ZimaOS is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure their ZimaOS instances are updated to version 1.5.3 or later. Check the vendor advisory for confirmation and further guidance.
CVE-2026-28798: CWE-918: Server-Side Request Forgery (SSRF) in IceWhaleTech ZimaOS
Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ZimaOS, an operating system for Zima devices and x86-64 systems with UEFI, has a Server-Side Request Forgery vulnerability (CWE-918) in its web interface proxy endpoint (/v1/sys/proxy) prior to version 1.5.3. When ZimaOS is reachable from the Internet through a Cloudflare Tunnel, this endpoint can be abused to send unauthorized requests to internal localhost services, exposing sensitive internal endpoints without authentication. This vulnerability has been addressed in ZimaOS version 1.5.3. The product is cloud-hosted, and remediation is managed by the vendor.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to access internal-only endpoints and sensitive local services on ZimaOS instances reachable via Cloudflare Tunnel. This can lead to complete compromise of confidentiality, integrity, and availability of the affected system, as reflected by the CVSS score of 9.1 (critical). No known exploits are reported in the wild at this time.
Mitigation Recommendations
A patch addressing this vulnerability is available in ZimaOS version 1.5.3. Since ZimaOS is a cloud-hosted service, the vendor manages remediation server-side. Users should ensure their ZimaOS instances are updated to version 1.5.3 or later. Check the vendor advisory for confirmation and further guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-03T14:25:19.245Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d01fe40a160ebd92561113
Added to database: 4/3/2026, 8:15:32 PM
Last enriched: 4/11/2026, 9:23:51 AM
Last updated: 5/20/2026, 8:50:00 PM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.