Skip to main content

Zimaos CVE-2026-21891

CRITICAL
Improper Authentication (CWE-287)
2026-01-08 security-advisories@github.com
Authentication Bypass Zimaos
9.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 12, 2026 - 17:13 vuln.today
Public exploit code
CVE Published
Jan 08, 2026 - 14:15 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.

AnalysisAI

ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send login request with known service account username
Exploit
Application skips password validation
Execution
Receive authenticated session token
Impact
Access system with high privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation ZimaOS versions up to and including 1.5.0 with known system service account usernames (e.g., root, admin, service accounts). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.4 (Critical). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a ZimaOS instance, logs in using a system service account name (e.g., 'root', 'admin', or a service name) with any password. The system grants full access, exposing all stored files and device configuration.
Remediation Update ZimaOS immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems running versions and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-21891 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy