CVE-2026-25511
Unknown Unknown - Not Provided
SSRF and Server-Side File Read in Group-Office WOPI Service

Publication date: 2026-02-04

Last updated on: 2026-02-11

Assigner: GitHub, Inc.

Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25511
EUVD
EUVD-2026-5348
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
group-office group_office From 25.0.1 (inc) to 25.0.82 (exc)
group-office group_office From 26.0.1 (inc) to 26.0.5 (exc)
group-office group_office From 6.8.0 (inc) to 6.8.150 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25511 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Group-Office PHP package, specifically in the WOPI service discovery component.'}, {'type': 'paragraph', 'content': 'An authenticated user with System Administrator privileges can supply a malicious URL to the WOPI service, which is used without proper validation. This allows the attacker to make the server send HTTP requests to internal hosts and ports.'}, {'type': 'paragraph', 'content': 'The vulnerability also allows the attacker to exfiltrate the response body of these SSRF requests via the built-in debug system, effectively turning the SSRF into a visible attack.'}, {'type': 'paragraph', 'content': 'Additionally, if the server\'s cURL runtime supports the "file://" protocol, the attacker can read arbitrary files on the server by specifying file URLs, with the file contents retrievable through the debug system.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have several serious impacts:'}, {'type': 'list_item', 'content': 'Unauthorized internal network access, allowing attackers to reach internal hosts and services that are normally inaccessible.'}, {'type': 'list_item', 'content': 'Disclosure of sensitive information by exfiltrating the full HTTP response bodies from SSRF requests.'}, {'type': 'list_item', 'content': 'Full server-side file reading, enabling attackers to read arbitrary files on the server if the "file://" protocol is supported.'}, {'type': 'list_item', 'content': 'Potential exposure of sensitive internal metadata and configuration data.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to exploit the SSRF via the WOPI service discovery URL by an authenticated System Administrator user.'}, {'type': 'paragraph', 'content': 'One method is to monitor for HTTP requests that include the "X-Debug: 1" header targeting the WOPI service endpoints, especially calls to community/dev/Debugger/get or WopiService/set.'}, {'type': 'paragraph', 'content': 'Since the exploit involves sending a malicious URL to the WOPI service with appended "/hosting/discovery" or bypassing it with URL fragments, network logs or application logs can be searched for such patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find requests with the "X-Debug: 1" header: grep -i \'X-Debug: 1\' /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'Searching for URLs containing "/hosting/discovery" or suspicious URL fragments in logs: grep -E \'/hosting/discovery|#\' /var/log/nginx/access.log'}, {'type': 'list_item', 'content': 'Monitoring authenticated System Administrator API calls to WopiService/set or community/dev/Debugger/get endpoints.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application debug logs for unexpected output of HTTP response bodies from internal requests may indicate exploitation.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Group-Office to a patched version where this vulnerability is fixed.'}, {'type': 'list_item', 'content': 'Upgrade to Group-Office versions 6.8.150, 25.0.82, or 26.0.5 or later, which contain the fix for CVE-2026-25511.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, restrict access to the WOPI service discovery URL and debug endpoints to trusted users only, especially limiting System Administrator privileges.'}, {'type': 'paragraph', 'content': 'Disable or restrict the debug system that exposes SSRF response bodies, for example by preventing requests with the "X-Debug: 1" header or disabling debug output in production environments.'}, {'type': 'paragraph', 'content': 'Monitor and audit logs for suspicious SSRF activity and unauthorized internal network access attempts.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart