CVE-2026-28798: CWE-918: Server-Side Request Forgery (SSRF) in IceWhaleTech ZimaOS
CVE-2026-28798 is a critical Server-Side Request Forgery (SSRF) vulnerability in IceWhaleTech's ZimaOS prior to version 1. 5. 3. The vulnerability exists in a proxy endpoint (/v1/sys/proxy) exposed by the ZimaOS web interface, which can be exploited via an externally reachable domain using a Cloudflare Tunnel. This allows unauthenticated attackers to make requests to internal localhost services, potentially accessing sensitive internal-only endpoints and local services. The issue has been patched in version 1. 5. 3. The vulnerability has a CVSS score of 9. 1, indicating high impact on confidentiality, integrity, and availability.
AI Analysis
Technical Summary
ZimaOS, an operating system forked from CasaOS for Zima devices and x86-64 systems with UEFI, contains an SSRF vulnerability (CWE-918) in its web interface proxy endpoint (/v1/sys/proxy) prior to version 1.5.3. When ZimaOS is accessible from the Internet through a Cloudflare Tunnel, this endpoint can be abused to send unauthorized requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services. The vulnerability has been addressed and patched in version 1.5.3. The CVSS 3.1 base score is 9.1, reflecting critical severity with network attack vector, high complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The vendor manages remediation for this cloud service.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to access internal-only and sensitive local services on ZimaOS devices reachable via Cloudflare Tunnel. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is critical with a CVSS score of 9.1, indicating severe potential impact.
Mitigation Recommendations
A patch addressing this vulnerability is available in ZimaOS version 1.5.3. Users should upgrade to version 1.5.3 or later to remediate the issue. Since this is a cloud-hosted service, the vendor manages remediation for the service. Check the vendor advisory for confirmation and further guidance.
CVE-2026-28798: CWE-918: Server-Side Request Forgery (SSRF) in IceWhaleTech ZimaOS
Description
CVE-2026-28798 is a critical Server-Side Request Forgery (SSRF) vulnerability in IceWhaleTech's ZimaOS prior to version 1. 5. 3. The vulnerability exists in a proxy endpoint (/v1/sys/proxy) exposed by the ZimaOS web interface, which can be exploited via an externally reachable domain using a Cloudflare Tunnel. This allows unauthenticated attackers to make requests to internal localhost services, potentially accessing sensitive internal-only endpoints and local services. The issue has been patched in version 1. 5. 3. The vulnerability has a CVSS score of 9. 1, indicating high impact on confidentiality, integrity, and availability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ZimaOS, an operating system forked from CasaOS for Zima devices and x86-64 systems with UEFI, contains an SSRF vulnerability (CWE-918) in its web interface proxy endpoint (/v1/sys/proxy) prior to version 1.5.3. When ZimaOS is accessible from the Internet through a Cloudflare Tunnel, this endpoint can be abused to send unauthorized requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services. The vulnerability has been addressed and patched in version 1.5.3. The CVSS 3.1 base score is 9.1, reflecting critical severity with network attack vector, high complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The vendor manages remediation for this cloud service.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to access internal-only and sensitive local services on ZimaOS devices reachable via Cloudflare Tunnel. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is critical with a CVSS score of 9.1, indicating severe potential impact.
Mitigation Recommendations
A patch addressing this vulnerability is available in ZimaOS version 1.5.3. Users should upgrade to version 1.5.3 or later to remediate the issue. Since this is a cloud-hosted service, the vendor manages remediation for the service. Check the vendor advisory for confirmation and further guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-03T14:25:19.245Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 69d01fe40a160ebd92561113
Added to database: 4/3/2026, 8:15:32 PM
Last enriched: 4/3/2026, 8:30:29 PM
Last updated: 4/4/2026, 1:08:55 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.