Skip to main content

Zimbra Collaboration CVE-2026-33373

| EUVDEUVD-2026-17106 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-30 mitre GHSA-pqjp-hqqg-x9w2
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 15:15 euvd
EUVD-2026-17106
Analysis Generated
Mar 30, 2026 - 15:15 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

AnalysisAI

Cross-Site Request Forgery in Zimbra Collaboration Server 10.0 and 10.1 allows remote attackers to perform sensitive account actions such as disabling two-factor authentication by inducing authenticated users to submit crafted requests, exploiting insufficient CSRF protection on authentication tokens issued during account state transitions like password changes or 2FA enablement. No public exploit code has been identified at time of analysis, and patch availability has been confirmed in vendor advisories for versions 10.0.18 and 10.1.13.

Technical ContextAI

Zimbra Collaboration Server (ZCS) uses SOAP-based authentication tokens to manage authenticated sessions in its web client. The vulnerability stems from a flaw in the token issuance mechanism during critical account state transitions-specifically when users enable two-factor authentication or change their password. During these operations, the authentication tokens generated lack proper Cross-Site Request Forgery (CWE-352) validation, meaning the server does not adequately verify that subsequent SOAP requests originate from legitimate user actions rather than attacker-controlled sources. This allows an attacker to craft malicious requests that, when submitted by an authenticated victim through their browser, are executed without CSRF token validation, bypassing a critical security control that should protect sensitive operations.

RemediationAI

Upgrade Zimbra Collaboration Server to version 10.0.18 or later for the 10.0 branch, or to version 10.1.13 or later for the 10.1 branch. These versions include security fixes that enforce consistent CSRF protection for authentication tokens issued during account state transitions. Administrators should review the official Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) and consult the detailed security fixes listed in the Zimbra Releases pages for versions 10.0.18 and 10.1.13 to confirm all mitigations are applied. Until patching is completed, ensure end-users are educated about phishing attacks that attempt to trick them into visiting malicious sites while logged into Zimbra, as user vigilance is the primary defense against CSRF exploitation.

Share

CVE-2026-33373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy