CVE-2026-33550 LOW

CVE-2026-33550

Vendor Alinto
Product SOGo
Weakness CWE-308
Published March 22, 2026
Last update March 23, 2026

CVSS base score

2.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

Key dates

02Disclosure timeline

March 22, 2026 CVE published
March 23, 2026 Record updated