CVE-2026-28798: Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-28798

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS

Source: NVD (National Vulnerability Database)

Vulnerability Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated access to internal-only endpoints and sensitive local services when the product is reachable from the Internet through a Cloudflare Tunnel. This issue has been patched in version 1.5.3.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

服务端请求伪造(SSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

ZimaOS 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

ZimaOS是IceWhaleTech的一个开源的操作系统项目，旨在提供一个轻量级、高性能、安全的操作系统环境。 ZimaOS 1.5.3之前版本存在代码问题漏洞，该漏洞源于Web界面暴露的代理端点可能被滥用，向内部本地主机服务发起请求，可能导致当产品通过Cloudflare Tunnel可从互联网访问时，未经验证即可访问内部端点和敏感本地服务。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
IceWhaleTech	ZimaOS	< 1.5.3	-

II. Public POCs for CVE-2026-28798

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

kimi-k2.5 · 6501 chars

Paid plan includes:

In-depth vulnerability mechanism

Trigger conditions & impact

Full executable POC code

Exploit chain & mitigation

POC zip download

100+ AI POC generations per month

Upgrade Pro to unlock ¥99/month Sign up first

III. Intelligence Information for CVE-2026-28798

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: ZimaOS

Same vendor: IceWhaleTech

Same weakness: CWE-918

V. Comments for CVE-2026-28798

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-28798

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-28798

III. Intelligence Information for CVE-2026-28798

IV. Related Vulnerabilities

V. Comments for CVE-2026-28798

Leave a comment