Authenticated SQL Injection in Contact/query addressBookIds filter_CVE-2026-33755

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

Basic Information

ID CVE-2026-33755

Source GitHub_M

Published Mar 27, 2026 at 14:08

Modified Mar 27, 2026 at 17:23

Affected Product

Vendor Intermesh

Product groupoffice

Version < 6.8.158

Affected Versions Intermesh groupoffice < 6.8.158
Intermesh groupoffice < 25.0.92
Intermesh groupoffice < 26.0.17

CWE Classification

CWE-89

References

github.com /Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc

{
    "lastseen": "",
    "description": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database \u2014 including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.",
    "published": "2026-03-27T14:08:38.685Z",
    "modified": "2026-03-27T17:23:30.752Z",
    "type": "cve",
    "title": "Authenticated SQL Injection in Contact/query addressBookIds filter",
    "source": "GitHub_M",
    "references": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc",
    "id": "CVE-2026-33755",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "Intermesh groupoffice < 6.8.158\nIntermesh groupoffice < 25.0.92\nIntermesh groupoffice < 26.0.17",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "groupoffice",
    "version": "< 6.8.158",
    "vendor": "Intermesh",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}