CVE-2026-33373 - Vulnerability Details

Description

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

Published: 2026-03-30

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Zimbra Collaboration implements authentication tokens that are issued during certain account state changes, such as enabling two‑factor authentication or changing a password. During these operations the tokens are created without CSRF protection, which allows a crafted request that an authenticated user sends through a browser to be executed without further validation. An attacker who successfully tricked a user into following a malicious link can therefore trigger SOAP requests that modify account settings, for example disabling two‑factor authentication or changing passwords, potentially compromising the victim’s account.

Affected Systems

The vulnerability impacts Zimbra Collaboration Server (ZCS) deployments running the 10.0 and 10.1 release lines. Both versions of the web client issue authentication tokens that lack CSRF enforcement during specific state transitions, making the described attack feasible for users of these releases.

Risk and Exploitability

Official CVSS metrics are not provided and EPSS data is unavailable, but the requirement for an authenticated victim’s browser plus the ability to alter critical account security settings indicates moderate to high exploit risk. The vulnerability is not yet listed in the KEV catalog, yet organizations using the affected Zimbra releases should treat it as a serious risk due to the potential to defeat two‑factor authentication and undermine account integrity. The likely attack vector is a web‑based CSRF attack where an attacker sends a user an engineered link or embedded request, exploiting the missing CSRF checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Zimbra Collaboration updates (10.0.18 for 10.0 releases or 10.1.13 for 10.1 releases) which enforce CSRF protection on all authentication tokens.
Verify that all authentication tokens issued by the system are generated with CSRF checks enabled.
Monitor account activity logs for unexpected state changes such as disabling two‑factor authentication or password resets.
Follow Zimbra security advisories for any additional guidance on configuration or temporary workarounds.

Generated by OpenCVE AI on March 30, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Request Forgery Allowing Unauthorized Account State Changes in Zimbra Collaboration
Weaknesses		CWE-352

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
References		https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.18#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-30T00:00:00.000Z

Updated: 2026-03-30T14:45:52.857Z

Reserved: 2026-03-19T00:00:00.000Z

Link: CVE-2026-33373

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-30T15:16:29.410

Modified: 2026-03-30T15:16:29.410

Link: CVE-2026-33373

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:56:30Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object