Primary

Context

ZimaOS Cloudflare Tunnel Proxy Endpoint Vulnerability Allowing Internal Service Access

Vulnerability

A vulnerability in ZimaOS prior to version 1.5.3 allows unauthenticated access to internal localhost services through a proxy endpoint (/v1/sys/proxy) in the web interface. When the product is accessible from the Internet via a Cloudflare Tunnel, this endpoint can be exploited to reach internal-only services and sensitive local endpoints that are meant to be available only on the local network.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and endpoints, allowing for information disclosure of sensitive configurations and tokens, unauthorized access to admin APIs, and remote discovery of internal services.

Remediation

Users can upgrade to ZimaOS version 1.5.3 to address this vulnerability.

Added: Apr 3, 2026, 8:18 PM

Updated: Apr 3, 2026, 8:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ZimaOS Cloudflare Tunnel Proxy Endpoint Vulnerability Allowing Internal Service Access

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating