Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28798

CVE-2026-28798: ZimaOS Proxy Endpoint SSRF Vulnerability

CVE-2026-28798 is a server-side request forgery flaw in ZimaOS that allows unauthenticated access to internal services via the proxy endpoint. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-28798 Overview

CVE-2026-28798 is a Server-Side Request Forgery (SSRF) vulnerability in ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI. The vulnerability exists in the proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface. When ZimaOS is accessible from the Internet through a Cloudflare Tunnel, attackers can abuse this endpoint to make requests to internal localhost services, resulting in unauthenticated access to internal-only endpoints and sensitive local services.

Critical Impact

Unauthenticated remote attackers can exploit this SSRF vulnerability to access internal services and sensitive endpoints on ZimaOS systems exposed via Cloudflare Tunnels, potentially leading to full system compromise.

Affected Products

  • ZimaOS versions prior to 1.5.3
  • CasaOS-based deployments using the vulnerable proxy endpoint
  • ZimaOS instances exposed via Cloudflare Tunnel

Discovery Timeline

  • 2026-04-03 - CVE-2026-28798 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-28798

Vulnerability Analysis

This SSRF vulnerability (CWE-918) affects the /v1/sys/proxy endpoint in ZimaOS's web interface. The endpoint was designed to facilitate proxy requests but lacks proper validation of the target destination. When ZimaOS is exposed to the Internet through a Cloudflare Tunnel, this creates a dangerous attack surface where external attackers can leverage the proxy functionality to reach internal localhost services that should otherwise be isolated from external access.

The exploitation path involves an attacker sending crafted requests through the externally reachable Cloudflare Tunnel domain to the vulnerable proxy endpoint. The endpoint then forwards these requests to internal services running on localhost, effectively bypassing network segmentation and authentication controls. This can expose sensitive internal APIs, administrative interfaces, and other services that rely on network isolation for security.

Root Cause

The root cause of this vulnerability is insufficient input validation and access control on the /v1/sys/proxy endpoint. The proxy functionality does not properly restrict the target URLs that can be requested, allowing localhost and internal network addresses to be specified. Additionally, the endpoint lacks authentication requirements, meaning any user who can reach the ZimaOS web interface can abuse this functionality.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker needs only to identify a ZimaOS instance that is accessible via a Cloudflare Tunnel. Once identified, the attacker can send HTTP requests to the /v1/sys/proxy endpoint with target URLs pointing to localhost services such as 127.0.0.1 or localhost. The proxy will then forward these requests and return the responses to the attacker, granting access to internal services.

The vulnerability allows attackers to:

  • Access internal APIs and administrative endpoints
  • Retrieve sensitive configuration data
  • Interact with services that trust localhost connections
  • Potentially pivot to further attacks on the internal network

Detection Methods for CVE-2026-28798

Indicators of Compromise

  • Unusual outbound traffic patterns from ZimaOS to localhost services via the proxy endpoint
  • HTTP requests to /v1/sys/proxy containing localhost addresses (127.0.0.1, localhost, ::1)
  • Access logs showing proxy requests targeting internal IP ranges or localhost
  • Unexpected data retrieval from internal services that should not be externally accessible

Detection Strategies

  • Monitor web server access logs for requests to /v1/sys/proxy containing localhost or internal IP addresses in request parameters
  • Implement network intrusion detection rules to identify SSRF attack patterns targeting the proxy endpoint
  • Review Cloudflare Tunnel access logs for suspicious proxy requests from unknown source IPs
  • Deploy web application firewall (WAF) rules to block requests with localhost or private IP ranges in proxy parameters

Monitoring Recommendations

  • Enable verbose logging on ZimaOS web interface to capture all proxy endpoint requests
  • Configure alerting for any proxy requests targeting localhost or RFC 1918 private address spaces
  • Monitor for unauthorized access attempts to internal services that typically only accept localhost connections
  • Implement anomaly detection for unusual traffic patterns through the Cloudflare Tunnel

How to Mitigate CVE-2026-28798

Immediate Actions Required

  • Upgrade ZimaOS to version 1.5.3 or later immediately
  • If immediate patching is not possible, restrict access to ZimaOS through Cloudflare Tunnel or disable public access temporarily
  • Review logs for evidence of exploitation attempts targeting the /v1/sys/proxy endpoint
  • Audit internal services for any unauthorized access or configuration changes

Patch Information

IceWhaleTech has released version 1.5.3 of ZimaOS which addresses this SSRF vulnerability. The patch implements proper validation and access controls on the proxy endpoint to prevent requests to localhost and internal services. Users should upgrade to this version immediately. For more details, see the ZimaOS Release 1.5.3 and the GitHub Security Advisory GHSA-vqqj-f979-8c8m.

Workarounds

  • Disable or restrict public access to ZimaOS via Cloudflare Tunnel until the patch can be applied
  • Implement firewall rules to block external access to the /v1/sys/proxy endpoint
  • Use network segmentation to isolate ZimaOS from sensitive internal services
  • Configure reverse proxy rules to filter and block requests to the vulnerable endpoint
bash
# Example: Block access to vulnerable proxy endpoint using iptables
# Adjust interface and IP ranges as needed for your environment
iptables -A INPUT -p tcp --dport 80 -m string --string "/v1/sys/proxy" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/v1/sys/proxy" --algo bm -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne