Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
Published: 2026-03-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery enables unauthorized privileged actions, such as disabling two‑factor authentication
Action: Immediate Patch
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in the Zimbra Collaboration Suite Web Client. Auth tokens are issued without CSRF protection following certain account state changes, such as enabling two‑factor authentication or changing a password. Because these tokens are active, an attacker can perform SOAP requests that trigger state changes without CSRF validation. The weakness is a classic CSRF flaw (CWE‑352) that can allow an attacker to disable two‑factor authentication and potentially conduct other privileged account actions.

Affected Systems

The flaw affects Zimbra Collaboration Suite versions 10.0 and 10.1. The affected products are listed under the vendor Synacor as Zimbra Collaboration Suite. Specific releases that contain the fix include 10.0.18 and 10.1.13.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a victim forging a crafted request by being tricked into visiting a malicious page; the attacker could then use the compromised session to perform privileged actions. The risk is significant for any organization that relies on Zimbra’s Web Client for account management.

Generated by OpenCVE AI on April 7, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Zimbra security patch 10.0.18 for ZCS 10.0 or 10.1.13 for ZCS 10.1, which enforces CSRF protection on all authentication tokens.
  • Verify that CSRF tokens are present on all authentication endpoints and that state‑changing SOAP requests require valid tokens.
  • Monitor user activity for unexpected changes in two‑factor authentication settings and audit account changes for unauthorized modifications.

Generated by OpenCVE AI on April 7, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Synacor
Synacor zimbra Collaboration Suite
CPEs cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
Vendors & Products Synacor
Synacor zimbra Collaboration Suite

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Allowing Unauthorized Account State Changes in Zimbra Collaboration

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Zimbra
Zimbra collaboration Suite
Vendors & Products Zimbra
Zimbra collaboration Suite

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Allowing Unauthorized Account State Changes in Zimbra Collaboration
Weaknesses CWE-352

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
References

Subscriptions

Synacor Zimbra Collaboration Suite
Zimbra Collaboration Suite
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:38:23.209Z

Reserved: 2026-03-19T00:00:00.000Z

Link: CVE-2026-33373

cve-icon Vulnrichment

Updated: 2026-04-01T15:38:17.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T15:16:29.410

Modified: 2026-04-07T18:50:47.480

Link: CVE-2026-33373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:52Z

Weaknesses