CVE-2026-33755
Authenticated SQL Injection in Group-Office JMAP Enables Account Takeover
Publication date: 2026-03-27
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intermesh | group-office | to 6.8.158 (exc) |
| intermesh | group-office | From 25.0.1 (inc) to 25.0.92 (exc) |
| intermesh | group-office | From 26.0.1 (inc) to 26.0.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with basic addressbook access to extract arbitrary data from the database, including active session tokens of other users, enabling full account takeover without knowing passwords.
This can lead to unauthorized access to sensitive personal data such as passwords, emails, private addressbooks, calendars, notes, and files.
Such unauthorized data exposure and account takeover can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Therefore, this vulnerability poses a significant risk to compliance with these standards by compromising confidentiality, integrity, and availability of protected data.
Can you explain this vulnerability to me?
CVE-2026-33755 is an authenticated SQL Injection vulnerability in the Group-Office software, specifically in the JMAP Contact/query endpoint's addressBookIds filter.
The vulnerability occurs because the filter accepts an array directly from the request and concatenates it into a raw SQL string without sanitization or parameterized binding. This raw SQL is then executed, allowing attackers to inject malicious SQL commands.
Any authenticated user with basic addressbook read access can exploit this flaw to extract arbitrary data from the database, including sensitive information such as passwords, emails, file metadata, and active session tokens of other users.
This enables full account takeover of any user, including the System Administrator, without knowing their password.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full compromise of the Group-Office system.
- Attackers can extract arbitrary data from the database such as passwords, emails, file metadata, and active session tokens.
- Attackers can take over any user account, including administrators, without knowing their passwords.
- Once compromised, attackers can create or delete users, change any user's password, access all private addressbooks, calendars, notes, and files, and modify system configurations.
This means a regular user with minimal privileges can silently escalate to full system administrator privileges, leading to a complete system breach.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an authenticated SQL Injection in the JMAP Contact/query endpoint, specifically in the addressBookIds filter. Detection involves monitoring for unusual or unauthorized SQL queries or abnormal access patterns to the Contact/query endpoint.
Since exploitation requires authentication with basic addressbook access, you can detect attempts by reviewing logs for suspicious JMAP requests that include the addressBookIds filter with unusual or crafted input.
Suggested commands or approaches include:
- Review web server or application logs for POST requests to the JMAP Contact/query endpoint containing the filter.addressBookIds parameter.
- Use SQL query logging on the database to detect raw SQL fragments or unusual queries involving the addressBookIds field.
- Example command to search logs for suspicious requests (assuming logs are in access.log):
- grep -i 'Contact/query' access.log | grep 'addressBookIds'
- Monitor for unexpected or unauthorized access tokens or session anomalies that could indicate session token theft.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Group-Office to a fixed version. The vulnerability is patched in versions 6.8.158, 25.0.92, and 26.0.17.
Until the upgrade can be applied, consider restricting access to the JMAP Contact/query endpoint to only trusted users or IP addresses, and monitor for suspicious activity.
Additionally, review and tighten user permissions to limit who has basic addressbook access, as any authenticated user with this access can exploit the vulnerability.
If possible, temporarily disable or restrict the use of the JMAP Contact/query endpoint to prevent exploitation.