Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Published: 2026-02-04
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery enabling internal host enumeration and arbitrary file read
Action: Immediate Patch
AI Analysis

Impact

An authenticated user belonging to the System Administrator group can trigger a full server‑side request forgery via the WOPI service discovery URL. The vulnerability also allows direct reading of files on the host. The exploit path relies on the built‑in debug system to expose the SSRF response body, effectively turning the request into an exfiltration channel. This weakness falls under CWE‑918 and can lead to the disclosure of sensitive internal information and the compromise of file integrity.

Affected Systems

The flaw affects Intermesh Group‑Office installations with versions prior to 6.8.150, 25.0.82, and 26.0.5. All affected releases are listed on the Group‑Office product page and the CVE advisory. Systems running a later version are not impacted.

Risk and Exploitability

The CVSS v3.1 score of 8.2 reflects a high severity, and the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation at present. The vulnerability is not included in the CISA KEV catalog, suggesting no known active exploitation. Attack execution requires authenticated access with System Administrator privileges; from there, an attacker can instruct the server to make requests to any internal host or port and read any file available to the process. Given the high impact and the need for privileged access, organizations should treat this as a critical patching priority.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch that updates Group‑Office to version 6.8.150 or newer, 25.0.82 or newer, or 26.0.5 or newer, thereby eliminating the SSRF and file read paths.
  • If an immediate patch is not possible, restrict the System Administrator group to a minimal trusted set of users, and consider disabling the WOPI service discovery and the built‑in debug system to reduce the attack surface.
  • Enforce network segmentation and monitoring so that outbound requests from the Group‑Office server to internal addresses are logged and routinely reviewed for anomalous activity.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Group-office
Group-office group Office
CPEs cpe:2.3:a:group-office:group_office:*:*:*:*:*:*:*:*
Vendors & Products Group-office
Group-office group Office
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Thu, 05 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Wed, 04 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
Title Group-Office is vulnerable to SSRF and File Read in WOPI service discovery
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Group-office Group Office
Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T21:02:22.830Z

Reserved: 2026-02-02T18:21:42.486Z

Link: CVE-2026-25511

cve-icon Vulnrichment

Updated: 2026-02-05T21:02:08.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:16:02.243

Modified: 2026-02-11T19:16:29.217

Link: CVE-2026-25511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses