CVE-2026-33372

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wiki.zimbra.com/wiki/Security_Center
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-20 14:16

Updated : 2026-03-24 15:54

NVD link : CVE-2026-33372

Mitre link : CVE-2026-33372

CVE.ORG link : CVE-2026-33372

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-33372", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T14:16:16.357", "references": [{"url": "https://wiki.zimbra.com/wiki/Security_Center", "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.16#Security_Fixes", "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy", "source": "cve@mitre.org"}, {"url": "https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A cross-site request forgery (CSRF) vulnerability exists in Zimbra Webmail due to improper validation of CSRF tokens. The application accepts CSRF tokens supplied within the request body instead of requiring them through the expected request header. An attacker can exploit this issue by tricking an authenticated user into submitting a crafted request. This may allow unauthorized actions to be performed on behalf of the victim."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Zimbra Collaboration (ZCS) 10.0 y 10.1. Existe una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en Zimbra Webmail debido a una validaci\u00f3n incorrecta de los tokens CSRF. La aplicaci\u00f3n acepta tokens CSRF suministrados dentro del cuerpo de la petici\u00f3n en lugar de requerirlos a trav\u00e9s de la cabecera de petici\u00f3n esperada. Un atacante puede explotar este problema enga\u00f1ando a un usuario autenticado para que env\u00ede una petici\u00f3n manipulada. Esto puede permitir que se realicen acciones no autorizadas en nombre de la v\u00edctima."}], "lastModified": "2026-03-24T15:54:09.400", "sourceIdentifier": "cve@mitre.org"}