CVE-2026-21891
Published: 08 January 2026
Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate…
more
the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Mitigating Controls (NIST 800-53 r5)AI
Requires systems to implement robust identification and authentication mechanisms that properly validate both usernames and passwords for all accounts, directly preventing the authentication bypass for known system service accounts in ZimaOS.
Mandates account management including identification, review, and disabling of unnecessary or risky system service accounts, blocking exploitation via known usernames with arbitrary passwords.
Requires timely identification, reporting, and remediation of flaws such as the improper password handling in ZimaOS login function, eliminating the authentication bypass vulnerability through patching.
Security SummaryAI
CVE-2026-21891 is an authentication bypass vulnerability affecting ZimaOS, a fork of CasaOS designed as an operating system for Zima devices and x86-64 systems with UEFI support. In versions up to and including 1.5.0, the login function properly validates usernames but skips, misinterprets, or incorrectly handles password validation when the username matches a known system service account. This results in any password being accepted for these accounts, granting unauthorized authenticated access. The vulnerability carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) and is associated with CWE-287 (Improper Authentication).
Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. By providing a known system service account username paired with any arbitrary password, an attacker can successfully authenticate and gain access to the affected system's administrative or service-level functions, potentially leading to high-impact confidentiality and integrity violations, such as data exfiltration or system modification, alongside limited availability disruption.
The primary advisory from IceWhaleTech on GitHub (GHSA-xj93-qw9p-jxq4) confirms the issue and notes that, as of the CVE publication on January 8, 2026, no patched versions of ZimaOS are available. Security practitioners should monitor for updates from the vendor, restrict network exposure of ZimaOS instances, and consider implementing network-level access controls or disabling the affected login endpoint until a fix is released.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing application (T1190) via authentication bypass for known system service accounts (facilitating T1078.001: Default Accounts).