Platform
php
Component
groupoffice
Fixed in
6.8.159
25.0.93
26.0.18
CVE-2026-33755 describes an SQL Injection vulnerability affecting Groupoffice, a customer relationship management and groupware tool. This flaw allows authenticated users with basic addressbook access to extract arbitrary data from the database, potentially leading to account takeover. The vulnerability affects Groupoffice versions less than or equal to 26.0.17. The issue is resolved in versions 6.8.158, 25.0.92, and 26.0.17.
CVE-2026-33755 affects Group-Office, an enterprise customer relationship management (CRM) and groupware tool. The vulnerability, an authenticated SQL Injection in the JMAP Contact/query endpoint, allows an authenticated user with basic addressbook access to extract arbitrary data from the database. This includes active session tokens of other users, enabling full account takeover of any user, including the System Administrator, without knowing their password. The severity of this vulnerability is high (CVSS 8.8) due to the potential for unauthorized access to sensitive information and complete control over user accounts. It is crucial to update to version 6.8.158 or higher to mitigate this risk. Successful exploitation can result in the exposure of confidential data, manipulation of critical information, and disruption of business operations.
The vulnerability is exploited through the JMAP Contact/query endpoint. An authenticated attacker, with basic addressbook access, can manipulate SQL queries to extract data from the database. The SQL Injection allows the attacker to execute arbitrary SQL commands, enabling them to access sensitive information, such as session tokens. The ability to obtain active session tokens allows the attacker to impersonate other users, including the system administrator, without knowing their passwords. Authentication is a prerequisite, but once authenticated, the attacker can exploit the vulnerability to gain unauthorized access. The complexity of exploitation is relatively low, increasing the risk of it being exploited by attackers with varying skill levels.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2026-33755 is to update Group-Office to version 6.8.158 or later. These versions include a fix for the SQL Injection vulnerability. We strongly recommend applying this update immediately to protect your system from potential attacks. Furthermore, review your organization's security policies, including password management and user authentication, to ensure they align with security best practices. Monitor Group-Office logs for suspicious activity and consider implementing an Intrusion Detection System (IDS) to identify and respond to potential attacks in real-time. The update is the most effective measure to eliminate the vulnerability.
Update Group-Office to versions 6.8.158, 25.0.92 or 26.0.17, or a later version, to correct the SQL Injection (SQL Injection) vulnerability. This will prevent the possible extraction of confidential data and account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
Versions prior to 6.8.158, 25.0.92, and 26.0.17 are vulnerable.
Check the Group-Office version in the system configuration. If it is older than the mentioned versions, update immediately.
Immediately change all user passwords, review system logs for suspicious activity, and consider performing a security audit.
Currently, there are no specific tools available, but we recommend performing penetration testing and security audits.
JMAP (JavaScript Object Manipulation API) is a protocol for accessing and manipulating data in email, calendar, and contacts applications.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.