Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.
Published: 2026-03-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized actions via CSRF
Action: Patch
AI Analysis

Impact

The flaw lies in the Zimbra Webmail application, which accepts CSRF tokens from the request body rather than enforcing the expected header. This incorrect validation allows a malicious site to instruct an authenticated user to perform unwanted operations, potentially resulting in data changes or account manipulation performed under the victim’s identity.

Affected Systems

The vulnerability affects Zimbra Collaboration Suite versions 10.0 and 10.1. Administrators overseeing these deployments should confirm whether they run those versions. The issue was addressed in the 10.1.16 release notes.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.4, denoting moderate risk, and an EPSS score of less than 1%, indicating a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires a tricked, authenticated user to submit a crafted request, so the threat depends on user interaction and the presence of the vulnerable application.

Generated by OpenCVE AI on April 2, 2026 at 04:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that your Zimbra Collaboration Suite installation is on version 10.0 or 10.1 and plan an upgrade.
  • Apply the Zimbra 10.1.16 security update, which enforces proper CSRF token validation.
  • Test the patch by ensuring that CSRF tokens supplied in the request body are no longer accepted.
  • Monitor application logs for unexpected actions performed by authenticated users and enable Security Center alerts for suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 04:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Zimbra Webmail

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Synacor
Synacor zimbra Collaboration Suite
CPEs cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
Vendors & Products Synacor
Synacor zimbra Collaboration Suite

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Zimbra Webmail

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zimbra
Zimbra collaboration
Vendors & Products Zimbra
Zimbra collaboration

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.
References

Subscriptions

Synacor Zimbra Collaboration Suite
Zimbra Collaboration
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T13:40:40.502Z

Reserved: 2026-03-19T00:00:00.000Z

Link: CVE-2026-33372

cve-icon Vulnrichment

Updated: 2026-03-23T13:40:16.184Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T14:16:16.357

Modified: 2026-04-01T15:32:50.733

Link: CVE-2026-33372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:38Z

Weaknesses