CVE-2026-28798

Name of the Vulnerable Software and Affected Versions ZimaOS versions prior to 1.5.3

Description ZimaOS, a fork of CasaOS, has an issue where the /v1/sys/proxy API endpoint, exposed through its web interface, can be exploited to make requests to internal localhost services. This allows unauthenticated access to internal-only endpoints and sensitive local services when the system is accessible from the internet via a Cloudflare Tunnel. The vulnerable endpoint is /v1/sys/proxy.

Recommendations Update to version 1.5.3 or later.