{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-33550", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-22T02:16:55.848Z", "datePublished": "2026-03-22T02:16:56.263Z", "dateUpdated": "2026-03-23T15:53:19.737Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SOGo", "vendor": "Alinto", "versions": [{"lessThan": "5.12.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-308", "description": "CWE-308 Use of Single-factor Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-22T02:23:27.538Z"}, "references": [{"url": "https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2"}, {"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:07:21.825824Z", "id": "CVE-2026-33550", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:53:19.737Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Alinto", "product": "SOGo", "versions": [{"status": "affected", "version": "0", "lessThan": "5.12.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2"}, {"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-308", "description": "CWE-308 Use of Single-factor Authentication"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-22T02:23:27.538Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33550", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:07:21.825824Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-23T15:07:23.010Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33550", "state": "PUBLISHED", "dateUpdated": "2026-03-22T02:23:27.538Z", "dateReserved": "2026-03-22T02:16:55.848Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-22T02:16:56.263Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "matchCriteriaId": "6300FA4D-5A77-4117-ACF1-11F319436E3D", "versionEndExcluding": "5.12.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended)."}], "id": "CVE-2026-33550", "lastModified": "2026-03-23T19:57:28.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-22T03:16:01.413", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-308"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.12.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SOGo", "source": "cna", "vendor": "Alinto"}, "product": "sogo", "vendor": "alinto"}], "analysis": {"en": {"generated_at": "2026-03-24T03:59:28.337871+00:00", "value": {"mitigation_remediation": ["Apply the official SOGo 5.12.5 update or later, which renews OTP tokens correctly and expands token length to the recommended twenty digits."], "summary": {"action": "Apply Patch", "impact": "Authentication bypass via re\u2011used OTP"}, "threat_synthesis": {"affected_systems": "Alinto SOGo installations running a version earlier than 5.12.5 are affected. No other versions or products are listed as impacted.", "description_and_impact": "SOGo user accounts that disable and subsequently re\u2011enable OTP do not trigger an OTP renewal; the system continues to accept the previously issued token. Additionally, the token length is only twelve digits, well below the recommended twenty digits, making it easier for an adversary to guess or brute\u2011force the value. This flaw grants an attacker the ability to replay an old token and bypass authentication controls, potentially allowing unauthorized access to user mailboxes or other protected resources. The weakness corresponds to the CWE\u2011308, \u201cInsufficient Validation of Security Parameters\u201d.", "risk_and_exploitability": "The CVSS score of 2 indicates low overall severity, and the EPSS score is below 1\u202f%, implying a very low probability of exploitation in the wild. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to be a local or remote attacker who can capture or guess a short OTP\u2014such as through phishing, network interception or brute force such that they can replay the old token after a user disables and re\u2011enables OTP. Exploitation would require the attacker to obtain the OTP code or to observe its transmission, without requiring code execution or privilege escalation. Given the low score and exploit probability, the risk to most systems is limited, but the potential impact on confidentiality warrants mitigation."}}}}, "created": "2026-03-23T09:46:44.508960+00:00", "title": "Insufficient OTP Renewal and Length in SOGo Leading to Potential Credential Compromise", "updated": "2026-03-25T14:46:44.751777+00:00", "vendors": ["alinto", "alinto$PRODUCT$sogo"]}