What is the CVSS score of CVE-2026-33550?

CVE-2026-33550 has a CVSS 3.1 base score of 2.0 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of SOGo are affected by CVE-2026-33550?

CVE-2026-33550 is a low-severity vulnerability (CVSS 2.0). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation.. A patch is available.

SOGo CVE-2026-33550

EUVD-2026-14269 LOW

Use of Single-factor Authentication (CWE-308)

2026-03-22 mitre

GHSA-9x6p-jf26-xmx7

Information Disclosure

2.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 22, 2026 - 02:30 euvd

EUVD-2026-14269

Analysis Generated

Mar 22, 2026 - 02:30 vuln.today

CVE Published

Mar 22, 2026 - 02:16 nvd

LOW 2.0

DescriptionNVD

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

AnalysisAI

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. …

RemediationAI

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

Debian

Bug #1131606

sogo

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	5.0.1-4+deb11u1	-
bullseye (security)	vulnerable	5.0.1-4+deb11u3	-
bookworm	vulnerable	5.8.0-2+deb12u2	-
trixie	vulnerable	5.12.1-3+deb13u1	-
forky, sid	vulnerable	5.12.4-1.2	-
(unstable)	fixed	(unfixed)	-

CVE-2026-33550 vulnerability details – vuln.today

Back