SOGo, OTP Mismanagement, CVE-2026-33550 (Medium)

Listen to this Post

How CVE-2026-33550 works

The vulnerability resides in SOGo’s handling of one‑time passwords (OTP) when a user toggles their two‑factor authentication setting. In versions before 5.12.5, disabling and then re‑enabling OTP does not trigger a fresh secret or a new token seed. Consequently, the previously issued OTP remains valid, allowing an attacker who had captured an earlier one to reuse it indefinitely. Additionally, the OTP length is fixed at 12 digits, falling short of the recommended 20‑digit standard, which reduces entropy and makes brute‑force attacks more feasible. The flaw effectively breaks the “one‑time” property and weakens the overall authentication mechanism. An adversary with temporary access to a user’s session or a leaked OTP can bypass the second factor after a simple disable/enable cycle. The issue stems from improper state invalidation in the OTP lifecycle and insufficient cryptographic length enforcement.

DailyCVE Form

Platform: SOGo
Version: before 5.12.5
Vulnerability : OTP reuse, short
Severity: Medium
date: 2026-03-21

Prediction: Patch already released

What Undercode Say:

Check SOGo version
sogod --version
Verify OTP length setting (default 12)
grep -i "otp" /etc/sogo/sogo.conf
Simulate OTP enable/disable cycle via SOGo SOAP
curl -X POST -d '{"action":"disableOTP"}' https://sogo.example/SOGo/soap
curl -X POST -d '{"action":"enableOTP"}' https://sogo.example/SOGo/soap
Test OTP reuse after toggle
(requires valid session and previously observed OTP)

Exploit:

An attacker who intercepts a valid 12‑digit OTP during an active session can wait for the user to disable and re‑enable 2FA (often done via settings). After the toggle, the same OTP remains accepted, allowing the attacker to authenticate without the real token.

Protection from this CVE

Upgrade to SOGo 5.12.5 or later. If immediate upgrade is not possible, temporarily disable OTP‑based 2FA or enforce a stricter OTP policy (e.g., TOTP with 20 digits) via configuration.

Impact:

Bypass of two‑factor authentication, account takeover, and compromised integrity of multi‑factor security controls. The short OTP length further increases exposure to brute‑force attacks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top