Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in...

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.

Basic Information

ID CVE-2026-34838

Source GitHub_M

Published Apr 2, 2026 at 19:15

Modified Apr 3, 2026 at 12:55

Affected Product

Vendor Intermesh

Product groupoffice

Version < 6.8.156

Affected Versions Intermesh groupoffice < 6.8.156
Intermesh groupoffice < 25.0.90
Intermesh groupoffice < 26.0.12

CWE Classification

CWE-502

References

{
    "lastseen": "",
    "description": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.",
    "published": "2026-04-02T19:15:40.591Z",
    "modified": "2026-04-03T12:55:48.631Z",
    "type": "cve",
    "title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`",
    "source": "GitHub_M",
    "references": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq\nhttps://github.com/Intermesh/groupoffice/releases/tag/v25.0.90\nhttps://github.com/Intermesh/groupoffice/releases/tag/v26.0.12\nhttps://github.com/Intermesh/groupoffice/releases/tag/v6.8.156",
    "id": "CVE-2026-34838",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "Intermesh groupoffice < 6.8.156\nIntermesh groupoffice < 25.0.90\nIntermesh groupoffice < 26.0.12",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "groupoffice",
    "version": "< 6.8.156",
    "vendor": "Intermesh",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`_CVE-2026-34838