EUVD-2026-14269
GHSA-9x6p-jf26-xmx7
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).
Analysis
SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
Bug #1131606| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.0.1-4+deb11u1 | - |
| bullseye (security) | vulnerable | 5.0.1-4+deb11u3 | - |
| bookworm | vulnerable | 5.8.0-2+deb12u2 | - |
| trixie | vulnerable | 5.12.1-3+deb13u1 | - |
| forky, sid | vulnerable | 5.12.4-1.2 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today