Primary

Context

SOGo OTP Renewal Vulnerability and Short Key Length Issue

Vulnerability

Patched

A vulnerability exists in SOGo versions prior to 5.12.5, where the One-Time Password (OTP) is not properly renewed when a user disables and re-enables it. Additionally, the OTP key length is insufficient, consisting of only 12 digits instead of the recommended 20.

Impact

Failure to properly renew the OTP can lead to authentication issues, where the old OTP may still be considered valid, potentially allowing unauthorized access. The short key length could weaken the OTP's security, making it more susceptible to brute-force attacks.

Reproduction

In SOGo versions prior to 5.12.5, disable the OTP feature and then re-enable it. The OTP will not be renewed. Additionally, the OTP key can be checked, which will reveal that it is only 12 digits long.

Remediation

Users can upgrade to SOGo version 5.12.5 or later, where this vulnerability has been addressed.

Added: Mar 22, 2026, 3:17 AM

Updated: Mar 22, 2026, 3:17 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

8.4

remediation

7.7

relevance

4.5

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.3

exploitability

8.4

remediation

7.7

relevance

4.5

threat

4.8

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SOGo OTP Renewal Vulnerability and Short Key Length Issue

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Alinto SOGo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating