CVE-2026-33369

Vulnerability

Overview

CVE-2026-33369 is an authenticated LDAP injection vulnerability found in Zimbra Collaboration (ZCS) versions 10.0 and 10.1. The flaw resides in the Mailbox SOAP service's FolderAction operation, where user-supplied input is not properly sanitized before being incorporated into an LDAP search filter. This allows an authenticated attackers to manipulate LDAP queries by sending a crafted SOAP request [1][2].

Exploitation

An attacker must first authenticate to the Zimbra system. Once authenticated, they can send a specially crafted SOAP request to the FolderAction endpoint. The lack of input sanitization enables the attacker to inject LDAP filter syntax, altering the intended query. This attack does not require administrative privileges, as it exploits a standard authenticated user's ability to interact with the FolderAction operation [1][2].

Impact

Successful exploitation allows the attacker to retrieve sensitive directory attributes from the LDAP backend. This could include information such as user account details, email addresses, or other directory entries that are normally protected. The vulnerability is rated Medium (CVSS 4.3) due to the requirement for authentication and the limited scope of information disclosure [1][2].

Mitigation

Zimbra has addressed this vulnerability in ZCS version 10.1.16, released on February 4, 2026. The fix involves sanitizing user-controlled input before incorporating user input into LDAP filters. Users are strongly advised to upgrade to version 10.1.16 or later. No workarounds have been published, and the vulnerability is not known to be exploited in the wild at the time of disclosure [2][3].