PT-2026-2122 · Casaos+1 · Casaos+1
Captain-Noob
·
Published
2026-01-08
·
Updated
2026-01-08
·
CVE-2026-21891
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ZimaOS versions up to and including 1.5.0
Description
ZimaOS, a fork of CasaOS, experiences an authentication bypass issue in versions up to and including 1.5.0. The application validates usernames but improperly handles password validation for known system service accounts. Specifically, the login function fails to correctly process the password validation result for these users, granting authenticated access to anyone knowing a valid system username, regardless of the provided password. The vulnerable component is the login function. The
username parameter is used in the authentication process.Recommendations
Versions up to and including 1.5.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Casaos
Zimaos