Skip to main content

Sogo EUVDEUVD-2026-14269

| CVE-2026-33550 LOW
Use of Single-factor Authentication (CWE-308)
2026-03-22 mitre GHSA-9x6p-jf26-xmx7
2.0
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 22, 2026 - 02:30 euvd
EUVD-2026-14269
Analysis Generated
Mar 22, 2026 - 02:30 vuln.today
CVE Published
Mar 22, 2026 - 02:16 nvd
LOW 2.0

DescriptionCVE.org

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

AnalysisAI

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.

Technical ContextAI

SOGo is an open-source groupware suite (affected via CPE cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*) that provides calendar, contact, and email services with integrated authentication and multi-factor authentication features. The vulnerability relates to CWE-308 (Use of Single-factor Authentication), which occurs when OTP regeneration logic fails to create a new secret when MFA is toggled, and the entropy of the OTP is insufficient (12 digits ≈ 40 bits of entropy vs. 20 digits ≈ 66 bits). This allows both token reuse attacks if the original token is compromised and reduced brute-force resistance due to shorter keyspace.

RemediationAI

Upgrade SOGo to version 5.12.5 or later to resolve both the OTP regeneration and entropy issues. Organizations unable to immediately patch should implement compensating controls by enforcing strong password policies in addition to OTP authentication, disabling MFA toggle functionality for non-administrative users, and logging all MFA configuration changes for audit purposes. Additionally, restrict administrative access to trusted networks and enable alerting for any MFA modifications. The vendor advisory and patch are available at https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5.

More in Sogo

View all
CVE-2015-5395 HIGH POC
8.8 Sep 20

Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0. Rated high severity (CVSS 8.8), this vulnerability

CVE-2025-63499 MEDIUM POC
6.1 Dec 04

Alinto Sogo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the theme parameter.

CVE-2025-63498 MEDIUM POC
6.1 Nov 24

alinto SOGo 5.12.3 is vulnerable to Cross Site Scripting (XSS) via the "userName" parameter. Rated medium severity (CVSS

CVE-2016-6189 MEDIUM POC
4.3 Feb 17

Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive in

CVE-2021-33054 HIGH
7.5 Jun 04

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receiv

CVE-2026-46446 HIGH
7.1 May 14

SQL injection in SOGo versions prior to 5.12.7 allows authenticated users to inject arbitrary SQL when changing their pa

CVE-2026-46445 HIGH
7.1 May 14

SQL injection in Alinto SOGo versions prior to 5.12.7 allows authenticated remote attackers to manipulate database queri

CVE-2016-6188 MEDIUM
6.5 Feb 03

Memory leak in SOGo 2.3.7 allows remote attackers to cause a denial of service (memory consumption) via a large number o

CVE-2025-71276 MEDIUM
6.4 Mar 22

SOGo before version 5.12.5 contains a cross-site scripting (XSS) vulnerability affecting the events, tasks, and contacts

CVE-2014-9905 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to i

CVE-2016-6191 MEDIUM
6.1 Feb 17

Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3

CVE-2026-8496 MEDIUM
6.1 May 13

Stored XSS in Alinto SOGo's ICS calendar invitation viewer enables a remote unauthenticated attacker to execute arbitrar

Vendor StatusVendor

Debian

Bug #1131606
sogo
Release Status Fixed Version Urgency
bullseye vulnerable 5.0.1-4+deb11u1 -
bullseye (security) vulnerable 5.0.1-4+deb11u3 -
bookworm vulnerable 5.8.0-2+deb12u2 -
trixie vulnerable 5.12.1-3+deb13u1 -
forky, sid vulnerable 5.12.4-1.2 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-14269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy