Plattform
linux
Komponente
zimaos
Behoben in
1.5.4
CVE-2026-28798 is a critical vulnerability affecting ZimaOS versions 1.0.0 through 1.5.2. A misconfigured proxy endpoint allows attackers, particularly those leveraging Cloudflare Tunnel, to bypass localhost restrictions and access internal services without authentication. This poses a significant risk to systems exposed to the internet, potentially leading to data breaches and unauthorized control of internal resources. The vulnerability has been addressed in ZimaOS version 1.5.3.
The primary impact of CVE-2026-28798 stems from the ability to bypass localhost restrictions. An attacker with access to the ZimaOS web interface and a Cloudflare Tunnel can leverage the /v1/sys/proxy endpoint to send requests to internal services that would normally be inaccessible from the outside. This includes services running on localhost, which often contain sensitive data or control functions. For example, an attacker could potentially access internal databases, configuration files, or even execute commands on the system. The blast radius is significant, as any internal service reachable via localhost is now potentially exposed. This vulnerability shares similarities with other proxy bypass vulnerabilities where internal services are inadvertently exposed to external networks.
CVE-2026-28798 was published on 2026-04-03. Its CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. While no public exploits have been reported as of this writing, the ease of exploitation using Cloudflare Tunnel suggests a potential for rapid adoption by malicious actors. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Further investigation is needed to determine if any active campaigns are targeting ZimaOS instances.
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28798 is to immediately upgrade ZimaOS to version 1.5.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the /v1/sys/proxy endpoint. This can be achieved by modifying the ZimaOS configuration files to prevent requests to this endpoint. Additionally, review and restrict access to any internal services running on localhost. Implement strict firewall rules to limit external access to the ZimaOS web interface. After upgrading, confirm the vulnerability is resolved by attempting to access an internal service via the /v1/sys/proxy endpoint and verifying that access is denied.
Actualice ZimaOS a la versión 1.5.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige el acceso no autenticado a servicios internos a través del endpoint /v1/sys/proxy cuando Cloudflare Tunnel está habilitado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28798 is a critical vulnerability in ZimaOS versions 1.0.0–<1.5.3 that allows attackers to bypass localhost restrictions using a proxy endpoint and Cloudflare Tunnel, enabling unauthorized access to internal services.
If you are running ZimaOS versions 1.0.0 through 1.5.2 and your system is accessible from the internet, particularly through Cloudflare Tunnel, you are likely affected by this vulnerability.
The recommended fix is to immediately upgrade ZimaOS to version 1.5.3 or later. As a temporary workaround, you can disable the /v1/sys/proxy endpoint in the configuration.
While no public exploits have been reported, the ease of exploitation suggests a potential for rapid adoption by malicious actors. Continuous monitoring is recommended.
Refer to the official ZimaOS security advisory for detailed information and updates regarding CVE-2026-28798: [https://zimaos.com/security/advisories](https://zimaos.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.