ZimaOS, Broken Access Control, CVE-2026-28442 (High)

Listen to this Post

CVE-2026-28442 is a high-severity vulnerability in ZimaOS version 1.5.2-beta3, a fork of CasaOS designed for Zima devices and x86-64 systems with UEFI . The core issue lies in a discrepancy between the restrictions enforced by the application’s user interface and those enforced by its backend API. While the UI prevents standard users from deleting critical system files or folders, this restriction is not carried over to the API layer . An authenticated attacker who can interact directly with the API can bypass the intended access controls by manipulating the `path` parameter in a file deletion request. By altering this parameter to point to internal system locations (e.g., `/etc/passwd` or other OS directories), the backend processes the request without validating whether the targeted path is a restricted system location . This failure demonstrates improper input validation and broken access control, allowing an attacker to delete arbitrary files and directories on the host system, leading to potential system instability or a complete denial of service .

dailycve form:

Platform: ZimaOS
Version: 1.5.2-beta3
Vulnerability : Broken Access Control
Severity: High (8.6 CVSS)
date: March 5, 2026

Prediction: Patch unlikely soon

What Undercode Say:

Analytics:

The vulnerability was published on March 5, 2026, and updated by the CISA ADP on March 6, 2026, with an SSVC analysis indicating “poc” (Proof of Concept) exists . The vulnerability is classified under CWE-73: External Control of File Name or Path . The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, which translates to a network-attack vector, high attack complexity, low privileges required, no user interaction, changed scope, and high impact to confidentiality, integrity, and availability .

Exploit:

Exploit ZimaOS 1.5.2-beta3 - Arbitrary File Deletion via API
Author: Based on CVE-2026-28442 Analysis
Date: 2026-03-12
Example: Deleting the /etc/passwd file by manipulating the API path.
Identify the target ZimaOS API endpoint (example endpoint).
Send a DELETE request with a manipulated path parameter.
curl -X DELETE "http://<Zima_Server_IP>:<PORT>/v3/file?path=../../../../etc/passwd" \
-H "Authorization: Bearer <AUTH_TOKEN>"
If the backend lacks validation, this command may delete the system's password file.
Verification command (to run on the target if accessible or check system logs):
ls -la /etc/passwd

Protection from this CVE:

  • Network Segmentation: Restrict access to the ZimaOS API port to trusted internal networks only, preventing external attackers from reaching the endpoint .
  • Input Validation: Implement strict allow-listing for file paths in API deletion requests to ensure they cannot traverse to system directories.
  • Access Control: Enforce the same UI-level restrictions on the backend API by validating user permissions against the resolved absolute path of the file being deleted.
  • Monitoring: Monitor API logs for unusual DELETE requests containing path traversal sequences (e.g., ../) targeting sensitive system directories.

Impact:

Successful exploitation allows an authenticated attacker with low privileges to delete critical operating system files . This can lead to a complete system compromise, denial of service, or data loss. The impact is total on confidentiality, integrity, and availability due to the “Changed” scope in the CVSS score, meaning the vulnerability can affect resources beyond the original intended component .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top