CVE-2026-28798 Overview
CVE-2026-28798 is a Server-Side Request Forgery (SSRF) vulnerability in ZimaOS, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI. The vulnerability exists in the proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface. When ZimaOS is accessible from the Internet through a Cloudflare Tunnel, attackers can abuse this endpoint to make requests to internal localhost services, resulting in unauthenticated access to internal-only endpoints and sensitive local services.
Critical Impact
Unauthenticated remote attackers can exploit this SSRF vulnerability to access internal services and sensitive endpoints on ZimaOS systems exposed via Cloudflare Tunnels, potentially leading to full system compromise.
Affected Products
- ZimaOS versions prior to 1.5.3
- CasaOS-based deployments using the vulnerable proxy endpoint
- ZimaOS instances exposed via Cloudflare Tunnel
Discovery Timeline
- 2026-04-03 - CVE-2026-28798 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-28798
Vulnerability Analysis
This SSRF vulnerability (CWE-918) affects the /v1/sys/proxy endpoint in ZimaOS's web interface. The endpoint was designed to facilitate proxy requests but lacks proper validation of the target destination. When ZimaOS is exposed to the Internet through a Cloudflare Tunnel, this creates a dangerous attack surface where external attackers can leverage the proxy functionality to reach internal localhost services that should otherwise be isolated from external access.
The exploitation path involves an attacker sending crafted requests through the externally reachable Cloudflare Tunnel domain to the vulnerable proxy endpoint. The endpoint then forwards these requests to internal services running on localhost, effectively bypassing network segmentation and authentication controls. This can expose sensitive internal APIs, administrative interfaces, and other services that rely on network isolation for security.
Root Cause
The root cause of this vulnerability is insufficient input validation and access control on the /v1/sys/proxy endpoint. The proxy functionality does not properly restrict the target URLs that can be requested, allowing localhost and internal network addresses to be specified. Additionally, the endpoint lacks authentication requirements, meaning any user who can reach the ZimaOS web interface can abuse this functionality.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker needs only to identify a ZimaOS instance that is accessible via a Cloudflare Tunnel. Once identified, the attacker can send HTTP requests to the /v1/sys/proxy endpoint with target URLs pointing to localhost services such as 127.0.0.1 or localhost. The proxy will then forward these requests and return the responses to the attacker, granting access to internal services.
The vulnerability allows attackers to:
- Access internal APIs and administrative endpoints
- Retrieve sensitive configuration data
- Interact with services that trust localhost connections
- Potentially pivot to further attacks on the internal network
Detection Methods for CVE-2026-28798
Indicators of Compromise
- Unusual outbound traffic patterns from ZimaOS to localhost services via the proxy endpoint
- HTTP requests to /v1/sys/proxy containing localhost addresses (127.0.0.1, localhost, ::1)
- Access logs showing proxy requests targeting internal IP ranges or localhost
- Unexpected data retrieval from internal services that should not be externally accessible
Detection Strategies
- Monitor web server access logs for requests to /v1/sys/proxy containing localhost or internal IP addresses in request parameters
- Implement network intrusion detection rules to identify SSRF attack patterns targeting the proxy endpoint
- Review Cloudflare Tunnel access logs for suspicious proxy requests from unknown source IPs
- Deploy web application firewall (WAF) rules to block requests with localhost or private IP ranges in proxy parameters
Monitoring Recommendations
- Enable verbose logging on ZimaOS web interface to capture all proxy endpoint requests
- Configure alerting for any proxy requests targeting localhost or RFC 1918 private address spaces
- Monitor for unauthorized access attempts to internal services that typically only accept localhost connections
- Implement anomaly detection for unusual traffic patterns through the Cloudflare Tunnel
How to Mitigate CVE-2026-28798
Immediate Actions Required
- Upgrade ZimaOS to version 1.5.3 or later immediately
- If immediate patching is not possible, restrict access to ZimaOS through Cloudflare Tunnel or disable public access temporarily
- Review logs for evidence of exploitation attempts targeting the /v1/sys/proxy endpoint
- Audit internal services for any unauthorized access or configuration changes
Patch Information
IceWhaleTech has released version 1.5.3 of ZimaOS which addresses this SSRF vulnerability. The patch implements proper validation and access controls on the proxy endpoint to prevent requests to localhost and internal services. Users should upgrade to this version immediately. For more details, see the ZimaOS Release 1.5.3 and the GitHub Security Advisory GHSA-vqqj-f979-8c8m.
Workarounds
- Disable or restrict public access to ZimaOS via Cloudflare Tunnel until the patch can be applied
- Implement firewall rules to block external access to the /v1/sys/proxy endpoint
- Use network segmentation to isolate ZimaOS from sensitive internal services
- Configure reverse proxy rules to filter and block requests to the vulnerable endpoint
# Example: Block access to vulnerable proxy endpoint using iptables
# Adjust interface and IP ranges as needed for your environment
iptables -A INPUT -p tcp --dport 80 -m string --string "/v1/sys/proxy" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/v1/sys/proxy" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
