Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.
AnalysisAI
Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.
Technical ContextAI
The vulnerability stems from improper CSRF token validation logic in Zimbra Webmail, a component of the Zimbra Collaboration Suite. CSRF token validation is a critical cross-origin request protection mechanism that relies on the server enforcing strict requirements about where tokens must be sourced—typically from HTTP request headers (such as custom headers or cookies) rather than from request body parameters. By accepting CSRF tokens supplied within the request body, Zimbra violates the principle of defense-in-depth for CSRF protection, as attackers can more easily inject crafted tokens or leverage form-based submission vectors that the browser will not block due to same-origin policy exceptions for form submissions. This falls under CWE-352 (Cross-Site Request Forgery), which encompasses failures to properly validate or enforce token presentation requirements. The affected products are Zimbra Collaboration Server versions 10.0 and 10.1, though specific CPE strings are incomplete in available sources.
RemediationAI
Organizations running Zimbra Collaboration Server 10.0 or 10.1 should immediately upgrade to version 10.1.16 or later, which includes the security fix for this CSRF vulnerability (see https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes and consult https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories for the complete advisory). Until patching is possible, implement compensating controls by enforcing strict Content Security Policy (CSP) headers with frame-ancestors 'none' and form-action restrictions to limit cross-origin form submission vectors, enabling SameSite cookie attributes (SameSite=Strict or SameSite=Lax) on all session and authentication cookies, and restricting Zimbra Webmail access to authenticated users via reverse proxy authentication with multi-factor authentication (MFA) enforcement. Monitor the Zimbra Responsible Disclosure Policy page (https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy) for additional guidance and patch status updates.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13698