CVE-2026-33550 addresses a security weakness in Alinto's SOGo groupware server versions before 5.12.5 related to the implementation of OTP-based multi-factor authentication. The vulnerability arises because the system does not renew the OTP secret when a user disables and subsequently re-enables OTP authentication. Instead, it continues to use the original OTP secret, which is only 12 digits long—significantly shorter than the recommended 20-digit length for OTP secrets. This short OTP length reduces the entropy and increases the likelihood of successful brute-force or guessing attacks against the OTP, undermining the security benefits of multi-factor authentication. Additionally, the failure to renew the OTP secret upon re-enablement means that any previously compromised OTP secret remains valid, increasing the risk of unauthorized access. The vulnerability is classified under CWE-308, which relates to the use of single-factor authentication or weak multi-factor authentication mechanisms. Exploitation requires an attacker to have high privileges and user interaction, limiting the ease of exploitation. The CVSS v3.1 base score is 2.0, indicating low severity, with no impact on confidentiality, minimal impact on integrity, and no impact on availability. No public exploits or active attacks have been reported. The recommended remediation is to upgrade to SOGo version 5.12.5 or later, where OTP secrets are properly renewed and OTP length is increased to the recommended 20 digits, thereby restoring the intended security posture of the authentication mechanism.

The primary impact of this vulnerability is the weakening of multi-factor authentication security in affected SOGo deployments. By reusing the same short OTP secret after disabling and re-enabling OTP, attackers with sufficient privileges or insider access could potentially guess or brute-force the OTP more easily, increasing the risk of unauthorized account access. This could lead to unauthorized email access, data leakage, or further compromise of organizational resources tied to the SOGo server. However, the exploitation complexity is high, requiring privileged access and user interaction, which limits the threat to opportunistic attackers. The vulnerability does not directly impact system availability or confidentiality on a broad scale but could facilitate targeted attacks against specific user accounts. Organizations relying on SOGo for secure communications and collaboration may face increased risk of account compromise if they do not apply the patch or enforce proper OTP management policies.

To mitigate this vulnerability, organizations should upgrade all affected SOGo instances to version 5.12.5 or later, where the OTP renewal process and OTP length have been corrected. Until the upgrade is applied, administrators should enforce strict OTP management policies, including manual rotation of OTP secrets when users disable and re-enable OTP authentication. Additionally, organizations should consider implementing compensating controls such as monitoring for suspicious authentication attempts, enforcing strong password policies, and limiting administrative privileges to reduce the risk of privilege escalation. Regular audits of MFA configurations and user authentication logs can help detect potential misuse. Educating users about the importance of OTP security and the risks of disabling and re-enabling MFA can also reduce exposure. Finally, integrating SOGo authentication with external, more robust MFA providers may provide enhanced security.