CVE-2026-33373
Received Received - Intake
CSRF Vulnerability in Zimbra Web Client Enables Account Takeover

Publication date: 2026-03-30

Last updated on: 2026-04-07

Assigner: MITRE

Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33373
EUVD
EUVD-2026-17106
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
synacor zimbra_collaboration_suite From 10.0.0 (inc) to 10.0.18 (exc)
synacor zimbra_collaboration_suite From 10.1.0 (inc) to 10.1.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue found in Zimbra Collaboration (ZCS) versions 10.0 and 10.1. It occurs because authentication tokens are issued without CSRF protection during certain account state changes, such as enabling two-factor authentication or changing a password.

While such a token is active, authenticated SOAP requests that cause token generation or state changes can be made without CSRF validation. An attacker could exploit this by tricking a victim into submitting crafted requests, potentially allowing the attacker to perform sensitive actions like disabling two-factor authentication on the victim's account.

The vulnerability is addressed by ensuring that CSRF protection is consistently applied to all issued authentication tokens.

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized sensitive actions on a victim's account without their consent. For example, an attacker could disable two-factor authentication by exploiting the lack of CSRF protection on authentication tokens.

Such unauthorized actions could weaken account security, potentially leading to account compromise or unauthorized access to sensitive information.

Mitigation Strategies

To mitigate this vulnerability, ensure that CSRF protection is consistently enforced for all issued authentication tokens, especially those generated after operations such as enabling two-factor authentication or changing a password.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33373. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart