CVE-2026-33373
Published: 30 March 2026
Summary
CVE-2026-33373 is a high-severity CSRF (CWE-352) vulnerability in Synacor Zimbra Collaboration Suite. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires mechanisms to protect session authenticity, such as CSRF tokens, addressing the lack of CSRF enforcement on authentication tokens issued during account state transitions like enabling or disabling 2FA.
Mandates validation of inputs to authenticated SOAP requests, ensuring CSRF tokens are checked to block forged cross-site requests that trigger sensitive account actions.
Requires re-authentication for privileged operations like password changes or 2FA modifications, adding a barrier against CSRF exploitation since attackers cannot supply victim credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF enables account auth changes (disable MFA) via malicious link/social engineering requiring user interaction.
NVD Description
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated…
more
after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
Deeper analysisAI
CVE-2026-33373 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Zimbra Collaboration Suite (ZCS) versions 10.0 and 10.1, specifically in the Zimbra Web Client. The issue arises because authentication tokens issued during certain account state transitions, such as enabling two-factor authentication or changing a password, lack CSRF protection. While these tokens are active, authenticated SOAP requests that trigger token generation or state changes can bypass CSRF validation, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthenticated attacker (PR:N) can exploit this vulnerability by tricking an authenticated victim into submitting crafted requests through social engineering or malicious websites, requiring user interaction (UI:R). Successful exploitation enables the attacker to perform sensitive account actions on the victim's behalf, such as disabling two-factor authentication, potentially leading to high confidentiality, integrity, and availability impacts.
Zimbra advisories recommend upgrading to patched versions, including ZCS 10.0.18 and 10.1.13, which address the issue through security fixes that ensure CSRF protection is consistently enforced for all issued authentication tokens. Additional details are available in the Zimbra Security Center and Responsible Disclosure Policy on their wiki.
Details
- CWE(s)