Skip to main content

Zimbra Collaboration EUVDEUVD-2026-13698

| CVE-2026-33372 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-20 mitre
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 14:15 euvd
EUVD-2026-13698
Analysis Generated
Mar 20, 2026 - 14:15 vuln.today
CVE Published
Mar 20, 2026 - 00:00 nvd
MEDIUM 5.4

DescriptionCVE.org

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.

AnalysisAI

Zimbra Collaboration Server 10.0 and 10.1 accept CSRF tokens from request bodies instead of enforcing header-based validation, allowing attackers to perform unauthorized actions by deceiving authenticated users into submitting malicious requests. This CSRF bypass affects webmail users and could enable account compromise or sensitive data modification without user awareness. No patch is currently available.

Technical ContextAI

The vulnerability stems from improper CSRF token validation logic in Zimbra Webmail, a component of the Zimbra Collaboration Suite. CSRF token validation is a critical cross-origin request protection mechanism that relies on the server enforcing strict requirements about where tokens must be sourced—typically from HTTP request headers (such as custom headers or cookies) rather than from request body parameters. By accepting CSRF tokens supplied within the request body, Zimbra violates the principle of defense-in-depth for CSRF protection, as attackers can more easily inject crafted tokens or leverage form-based submission vectors that the browser will not block due to same-origin policy exceptions for form submissions. This falls under CWE-352 (Cross-Site Request Forgery), which encompasses failures to properly validate or enforce token presentation requirements. The affected products are Zimbra Collaboration Server versions 10.0 and 10.1, though specific CPE strings are incomplete in available sources.

RemediationAI

Organizations running Zimbra Collaboration Server 10.0 or 10.1 should immediately upgrade to version 10.1.16 or later, which includes the security fix for this CSRF vulnerability (see https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes and consult https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories for the complete advisory). Until patching is possible, implement compensating controls by enforcing strict Content Security Policy (CSP) headers with frame-ancestors 'none' and form-action restrictions to limit cross-origin form submission vectors, enabling SameSite cookie attributes (SameSite=Strict or SameSite=Lax) on all session and authentication cookies, and restricting Zimbra Webmail access to authenticated users via reverse proxy authentication with multi-factor authentication (MFA) enforcement. Monitor the Zimbra Responsible Disclosure Policy page (https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy) for additional guidance and patch status updates.

Share

EUVD-2026-13698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy