Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
Published: 2026-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Patch
AI Analysis

Impact

The vulnerability is an SQL Injection in the JMAP Contact/query endpoint, allowing an authenticated user with addressbook access to read arbitrary database contents, including session tokens. This can enable full takeover of any user, including administrators, without password knowledge.

Affected Systems

Intermesh Group‑Office versions earlier than 6.8.158, 25.0.92 and 26.0.17 are affected. These are the enterprise CRM and groupware platform employed by many organizations.

Risk and Exploitability

The flaw scores a CVSS of 8.8, indicating high severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The attack requires authentication and basic contact‑book read rights, so only users with such access can exploit it, but the impact remains significant due to the ability to obtain session tokens and hijack accounts.

Generated by OpenCVE AI on March 27, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Group‑Office 6.8.158, 25.0.92, or 26.0.17 or later.

Generated by OpenCVE AI on March 27, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:intermesh:group-office:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Intermesh
Intermesh group-office
Vendors & Products Intermesh
Intermesh group-office

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
Title Authenticated SQL Injection in Contact/query addressBookIds filter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Intermesh Group-office
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T17:23:30.752Z

Reserved: 2026-03-23T18:30:14.125Z

Link: CVE-2026-33755

cve-icon Vulnrichment

Updated: 2026-03-27T17:23:26.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:57.527

Modified: 2026-04-20T12:35:02.850

Link: CVE-2026-33755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:01:55Z

Weaknesses