Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
ZimaOS 1.5.2-beta3: Unauthorized file creation in sensitive system directories
CVE-2026-28286
Summary
An issue in ZimaOS allows users to create files and folders in system directories through the API, even when they shouldn't have permission to do so. This could lead to data corruption or system compromise. Update to the latest version when available to ensure security.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| zimaspace | zimaos | 1.5.2 | – |
Original title
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from...
Original description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
nvd CVSS3.1
9.9
Vulnerability type
CWE-73
- https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-65mg-9gw5-vr7g Exploit Mitigation Vendor Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026