Security Vulnerability Report
中文
CVE-2026-33550 CVSS 2.0 LOW

CVE-2026-33550

Published: 2026-03-22 03:16:01
Last Modified: 2026-03-23 19:57:28
Source: [email protected]

Description

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

CVSS Details

CVSS Score
2.0
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:* - VULNERABLE
SOGo < 5.12.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-33550: Weak OTP Implementation Analysis # This script calculates the entropy of a 12-digit OTP to demonstrate the vulnerability. import math def calculate_entropy(length, charset_size=10): """Calculate entropy in bits.""" return length * math.log2(charset_size) # Vulnerable configuration otp_length = 12 charset_size = 10 # Assuming numeric digits as per description entropy_bits = calculate_entropy(otp_length, charset_size) print(f"[+] CVE-2026-33550 Analysis") print(f"[+] OTP Length: {otp_length} digits") print(f"[+] Estimated Entropy: {entropy_bits:.2f} bits") print(f"[!] Vulnerability: Entropy is too low (Recommended > 64 bits).") print(f"[!] Impact: Susceptible to brute force attacks.") # Note: To verify the "not renewing" issue, a tester would: # 1. Enable OTP for a user and record the Secret (A). # 2. Disable OTP. # 3. Enable OTP again and record the Secret (B). # 4. Compare A and B. If A == B, the vulnerability is confirmed.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33550", "sourceIdentifier": "[email protected]", "published": "2026-03-22T03:16:01.413", "lastModified": "2026-03-23T19:57:28.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended)."}, {"lang": "es", "value": "SOGo anterior a 5.12.5 no renueva la OTP si un usuario la desactiva/activa, y tiene una longitud demasiado corta (solo 12 dígitos en lugar de los 20 recomendados)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-308"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:alinto:sogo:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.12.5", "matchCriteriaId": "6300FA4D-5A77-4117-ACF1-11F319436E3D"}]}]}], "references": [{"url": "https://github.com/Alinto/sogo/commit/83d4c522f87cfde0ba543837d9b24c3479083ec2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Alinto/sogo/releases/tag/SOGo-5.12.5", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.