What is the CVSS score of CVE-2026-28798?

CVE-2026-28798 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Zimaos are affected by CVE-2026-28798?

ZimaOS web interface versions before 1.5.3 contain a critical server-side request forgery vulnerability that allows unauthenticated remote attackers to bypass network segmentation and access internal…. A patch is available.

How to fix or mitigate CVE-2026-28798?

Within 24 hours: Identify all ZimaOS deployments running versions prior to 1.5.3, particularly those exposed via Cloudflare Tunnel or public-facing URLs; assess current exposure status. Within 7 days: Apply vendor-released patch to upgrade all affected ZimaOS instances to version 1.5.3 or later. Within 30 days: Conduct network segmentation review to ensure internal services are not reachable from web interface tiers, and implement access controls to restrict proxy endpoint (/v1/sys/proxy) usage.

Zimaos CVE-2026-28798

EUVD-2026-18843 CRITICAL

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-03 security-advisories@github.com

SSRF Zimaos

9.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.0 CRITICAL

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:46 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.5.3

EUVD ID Assigned

Apr 03, 2026 - 20:22 euvd

EUVD-2026-18843

Analysis Generated

Apr 03, 2026 - 20:22 vuln.today

CVE Published

Apr 03, 2026 - 20:16 nvd

CRITICAL 9.0

DescriptionGitHub Advisory

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

AnalysisAI

Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal localhost services when the system is exposed via Cloudflare Tunnel. The vulnerable proxy endpoint (/v1/sys/proxy) enables attackers to bypass network segmentation and reach internal-only endpoints, potentially exposing sensitive local services. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access ZimaOS via Cloudflare Tunnel

Delivery

Craft request to /v1/sys/proxy endpoint

Exploit

Proxy request to internal localhost services

Execution

Bypass authentication to sensitive endpoints

Impact

Execute unauthorized actions on internal services

Access

Access ZimaOS via Cloudflare Tunnel

Delivery

Craft request to /v1/sys/proxy endpoint

Exploit

Proxy request to internal localhost services

Execution

Bypass authentication to sensitive endpoints

Impact

Execute unauthorized actions on internal services

Vulnerability AssessmentAI

Exploitation	ZimaOS versions prior to 1.5.3 with the /v1/sys/proxy endpoint exposed to the Internet via Cloudflare Tunnel or similar external access mechanism. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is HIGH for internet-exposed ZimaOS instances using Cloudflare Tunnels, but MODERATE overall due to the specific configuration prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers a ZimaOS instance exposed to the internet via Cloudflare Tunnel by scanning for common management interfaces or through Shodan/Censys searches. Without requiring authentication, the attacker crafts HTTP requests to the /v1/sys/proxy endpoint, specifying localhost URLs as targets (e.g., http://127.0.0.1:8080/admin, http://localhost:5432 for PostgreSQL, or http://127.0.0.1:2375 for Docker API). …
Remediation	Upgrade to ZimaOS version 1.5.3 or later, which patches the SSRF vulnerability in the proxy endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ZimaOS deployments running versions prior to 1.5.3, particularly those exposed via Cloudflare Tunnel or public-facing URLs; assess current exposure status. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-28798 vulnerability details – vuln.today

Back

Zimaos CVE-2026-28798

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code