CVE-2026-25511
SSRF and Server-Side File Read in Group-Office WOPI Service
Publication date: 2026-02-04
Last updated on: 2026-02-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| group-office | group_office | From 25.0.1 (inc) to 25.0.82 (exc) |
| group-office | group_office | From 26.0.1 (inc) to 26.0.5 (exc) |
| group-office | group_office | From 6.8.0 (inc) to 6.8.150 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25511 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Group-Office PHP package, specifically in the WOPI service discovery component.'}, {'type': 'paragraph', 'content': 'An authenticated user with System Administrator privileges can supply a malicious URL to the WOPI service, which is used without proper validation. This allows the attacker to make the server send HTTP requests to internal hosts and ports.'}, {'type': 'paragraph', 'content': 'The vulnerability also allows the attacker to exfiltrate the response body of these SSRF requests via the built-in debug system, effectively turning the SSRF into a visible attack.'}, {'type': 'paragraph', 'content': 'Additionally, if the server\'s cURL runtime supports the "file://" protocol, the attacker can read arbitrary files on the server by specifying file URLs, with the file contents retrievable through the debug system.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have several serious impacts:'}, {'type': 'list_item', 'content': 'Unauthorized internal network access, allowing attackers to reach internal hosts and services that are normally inaccessible.'}, {'type': 'list_item', 'content': 'Disclosure of sensitive information by exfiltrating the full HTTP response bodies from SSRF requests.'}, {'type': 'list_item', 'content': 'Full server-side file reading, enabling attackers to read arbitrary files on the server if the "file://" protocol is supported.'}, {'type': 'list_item', 'content': 'Potential exposure of sensitive internal metadata and configuration data.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to exploit the SSRF via the WOPI service discovery URL by an authenticated System Administrator user.'}, {'type': 'paragraph', 'content': 'One method is to monitor for HTTP requests that include the "X-Debug: 1" header targeting the WOPI service endpoints, especially calls to community/dev/Debugger/get or WopiService/set.'}, {'type': 'paragraph', 'content': 'Since the exploit involves sending a malicious URL to the WOPI service with appended "/hosting/discovery" or bypassing it with URL fragments, network logs or application logs can be searched for such patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find requests with the "X-Debug: 1" header: grep -i \'X-Debug: 1\' /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'Searching for URLs containing "/hosting/discovery" or suspicious URL fragments in logs: grep -E \'/hosting/discovery|#\' /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'Monitoring authenticated System Administrator API calls to WopiService/set or community/dev/Debugger/get endpoints.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application debug logs for unexpected output of HTTP response bodies from internal requests may indicate exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Group-Office to a patched version where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Upgrade to Group-Office versions 6.8.150, 25.0.82, or 26.0.5 or later, which contain the fix for CVE-2026-25511.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, restrict access to the WOPI service discovery URL and debug endpoints to trusted users only, especially limiting System Administrator privileges.'}, {'type': 'paragraph', 'content': 'Disable or restrict the debug system that exposes SSRF response bodies, for example by preventing requests with the "X-Debug: 1" header or disabling debug output in production environments.'}, {'type': 'paragraph', 'content': 'Monitor and audit logs for suspicious SSRF activity and unauthorized internal network access attempts.'}] [1, 2]