Cross-Site Request Forgery Vulnerability in Zimbra Collaboration Products
CVE-2026-33373

8.8HIGH

Key Information:

Vendor: Zimbra
Status: Zimbra Collaboration Server
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-33373?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Zimbra Collaboration Server (ZCS) versions 10.0 and 10.1. This flaw arises from the generation of authentication tokens without adequate CSRF protection during specific account state transitions, such as enabling two-factor authentication or changing a password. As a result, when an authentication token is active, an attacker can potentially exploit this issue by persuading users to submit malicious requests, which may lead to unauthorized actions on their accounts, including the disabling of two-factor authentication. Proper implementation of CSRF protection for all issued authentication tokens is essential to mitigate this vulnerability.

References

https://wiki.zimbra.com/wiki/Security_Center

https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosur...

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.13#Secu...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33373 Data

JSON