Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
AnalysisAI
Cross-Site Request Forgery in Zimbra Collaboration Server 10.0 and 10.1 allows remote attackers to perform sensitive account actions such as disabling two-factor authentication by inducing authenticated users to submit crafted requests, exploiting insufficient CSRF protection on authentication tokens issued during account state transitions like password changes or 2FA enablement. No public exploit code has been identified at time of analysis, and patch availability has been confirmed in vendor advisories for versions 10.0.18 and 10.1.13.
Technical ContextAI
Zimbra Collaboration Server (ZCS) uses SOAP-based authentication tokens to manage authenticated sessions in its web client. The vulnerability stems from a flaw in the token issuance mechanism during critical account state transitions-specifically when users enable two-factor authentication or change their password. During these operations, the authentication tokens generated lack proper Cross-Site Request Forgery (CWE-352) validation, meaning the server does not adequately verify that subsequent SOAP requests originate from legitimate user actions rather than attacker-controlled sources. This allows an attacker to craft malicious requests that, when submitted by an authenticated victim through their browser, are executed without CSRF token validation, bypassing a critical security control that should protect sensitive operations.
RemediationAI
Upgrade Zimbra Collaboration Server to version 10.0.18 or later for the 10.0 branch, or to version 10.1.13 or later for the 10.1 branch. These versions include security fixes that enforce consistent CSRF protection for authentication tokens issued during account state transitions. Administrators should review the official Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) and consult the detailed security fixes listed in the Zimbra Releases pages for versions 10.0.18 and 10.1.13 to confirm all mitigations are applied. Until patching is completed, ensure end-users are educated about phishing attacks that attempt to trick them into visiting malicious sites while logged into Zimbra, as user vigilance is the primary defense against CSRF exploitation.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17106
GHSA-pqjp-hqqg-x9w2