CSRF Vulnerability in Zimbra Collaboration by Zimbra
CVE-2026-33372

5.4MEDIUM

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33372?

A vulnerability exists in Zimbra Collaboration (ZCS) versions 10.0 and 10.1 that permits cross-site request forgery (CSRF) attacks due to incorrect validation of CSRF tokens. The application mistakenly accepts CSRF tokens received in the request body rather than enforcing their presence in the required request header. An attacker can exploit this flaw by deceiving an authenticated user into executing a malicious request, which could result in unauthorized actions being taken on the user's behalf. It is crucial for administrators and users of Zimbra Collaboration to implement security measures to address this vulnerability.

References

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33372 Data

JSON