Authentication Flaw in SOGo Product by Alinto
CVE-2026-33550

2LOW

Key Information:

Vendor: Alinto
Status: Sogo
Vendor: CVE Published:; 22 March 2026

What is CVE-2026-33550?

SOGo versions prior to 5.12.5 exhibit a security flaw concerning One-Time Password (OTP) generation. The vulnerability arises from the inability to renew the OTP when users toggle its activation status, coupled with the use of a short OTP length of only 12 digits instead of the recommended 20 digits. This creates potential risks in protecting user accounts and sensitive data, making it essential for affected users to update to the latest version.

Affected Version(s)

SOGo 0 < 5.12.5

References

https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba5...

https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5

CVSS V3.1

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2026
Vulnerability Reserved
Mar 22, 2026

CVE-2026-33550 Data

JSON