CVE-2025-32354

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions 9.0 through 10.1

Description A Cross-Site Request Forgery (CSRF) issue exists in the GraphQL endpoint (/service/extension/graphql) of Zimbra webmail due to a lack of CSRF token validation. This allows attackers to perform unauthorized GraphQL operations, such as modifying contacts, changing account settings, and accessing sensitive user data when an authenticated user visits a malicious website.

Recommendations For Zimbra Collaboration (ZCS) versions 9.0 through 10.1, as a temporary workaround, consider disabling the GraphQL endpoint (/service/extension/graphql) until a patch is available. Restrict access to the GraphQL endpoint to minimize the risk of exploitation. Avoid using the GraphQL endpoint for sensitive operations until the issue is resolved.