CVE-2026-33550 — Use of Single-factor Authentication in Sogo

Severity

2.6LOWNVD

CNA2.0

EPSS

0.0%

top 91.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedMar 22

Description

SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has a too short length (only 12 digits instead of the 20 recommended).

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

▶CVEListV5alinto/sogo< 5.12.5

▶NVDalinto/sogo< 5.12.5

▶Debianalinto/sogo< 5.12.6-1

GHSA

GHSA-9x6p-jf26-xmx7: SOGo before 5↗2026-03-22

▶

OSV

CVE-2026-33550: SOGo before 5↗2026-03-22

▶

CVEList

CVE-2026-33550: SOGo before 5↗2026-03-22

▶

Debian

CVE-2026-33550: sogo - SOGo before 5.12.5 does not renew the OTP if a user disables/enables it, and has...↗2026

▶

Wiz

CVE-2026-33550 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶