LDAP Injection Vulnerability in Zimbra Collaboration by Zimbra
CVE-2026-33369

4.3MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33369?

Zimbra Collaboration versions 10.0 and 10.1 are susceptible to an LDAP injection vulnerability within the Mailbox SOAP service, particularly during a FolderAction operation. The flaw arises from inadequate input sanitization of user-supplied data, allowing an authenticated attacker to craft a malicious SOAP request. This manipulation can alter the underlying LDAP query, potentially exposing sensitive directory attributes that should remain confidential.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33369 Data

JSON