CVE-2026-33373

Source
https://cve.org/CVERecord?id=CVE-2026-33373
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33373.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33373
Published
2026-03-30T00:00:00Z
Modified
2026-07-08T08:12:48.689084622Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33373.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git
github.com/zimbra/zm-build

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-build
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.18"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.13"
        }
    ]
}

Affected versions

10.*
10.0.0-GA
10.0.1
10.0.13
10.0.16
10.0.4
10.0.5
10.0.6
10.0.9
10.1.0
10.1.1
10.1.10
10.1.4
10.1.5
10.1.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33373.json"
github.com/zimbra/zm-mailbox

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-mailbox
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.18"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.13"
        }
    ]
}

Affected versions

10.*
10.0.0-GA
10.0.1
10.0.11
10.0.12
10.0.13
10.0.16
10.0.2
10.0.5
10.0.6
10.0.7
10.0.8
10.0.9
10.1.0
10.1.1
10.1.10
10.1.2
10.1.3
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33373.json"
github.com/zimbra/zm-zcs

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-zcs
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.13"
        }
    ]
}

Affected versions

10.*
10.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33373.json"
github.com/zimbra/zm-zcs-lib

Affected ranges

Type
GIT
Repo
https://github.com/zimbra/zm-zcs-lib
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.0.0"
        },
        {
            "fixed": "10.0.18"
        },
        {
            "introduced": "10.1.0"
        },
        {
            "fixed": "10.1.13"
        }
    ]
}

Affected versions

10.*
10.0.0-GA
10.0.1
10.0.12
10.0.9
10.1.0
10.1.1
10.1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33373.json"