CVE-2026-33373

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration (ZCS) versions 10.0 and 10.1

Description A Cross-Site Request Forgery (CSRF) issue exists in the Zimbra Web Client. This is due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations like enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.

Recommendations Ensure CSRF protection is consistently enforced for all authentication tokens issued by Zimbra Collaboration (ZCS) version 10.0. Ensure CSRF protection is consistently enforced for all authentication tokens issued by Zimbra Collaboration (ZCS) version 10.1.