CVE-2026-33755
Received Received - Intake
Authenticated SQL Injection in Group-Office JMAP Enables Account Takeover

Publication date: 2026-03-27

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database β€” including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33755
EUVD
EUVD-2026-16622
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
intermesh group-office to 6.8.158 (exc)
intermesh group-office From 25.0.1 (inc) to 25.0.92 (exc)
intermesh group-office From 26.0.1 (inc) to 26.0.17 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33755 is an authenticated SQL Injection vulnerability in the Group-Office software, specifically in the JMAP Contact/query endpoint's addressBookIds filter.

The vulnerability occurs because the filter accepts an array directly from the request and concatenates it into a raw SQL string without sanitization or parameterized binding. This raw SQL is then executed, allowing attackers to inject malicious SQL commands.

Any authenticated user with basic addressbook read access can exploit this flaw to extract arbitrary data from the database, including sensitive information such as passwords, emails, file metadata, and active session tokens of other users.

This enables full account takeover of any user, including the System Administrator, without knowing their password.

Impact Analysis

This vulnerability can have severe impacts including full compromise of the Group-Office system.

  • Attackers can extract arbitrary data from the database such as passwords, emails, file metadata, and active session tokens.
  • Attackers can take over any user account, including administrators, without knowing their passwords.
  • Once compromised, attackers can create or delete users, change any user's password, access all private addressbooks, calendars, notes, and files, and modify system configurations.

This means a regular user with minimal privileges can silently escalate to full system administrator privileges, leading to a complete system breach.

Detection Guidance

This vulnerability is an authenticated SQL Injection in the JMAP Contact/query endpoint, specifically in the addressBookIds filter. Detection involves monitoring for unusual or unauthorized SQL queries or abnormal access patterns to the Contact/query endpoint.

Since exploitation requires authentication with basic addressbook access, you can detect attempts by reviewing logs for suspicious JMAP requests that include the addressBookIds filter with unusual or crafted input.

Suggested commands or approaches include:

  • Review web server or application logs for POST requests to the JMAP Contact/query endpoint containing the filter.addressBookIds parameter.
  • Use SQL query logging on the database to detect raw SQL fragments or unusual queries involving the addressBookIds field.
  • Example command to search logs for suspicious requests (assuming logs are in access.log):
  • grep -i 'Contact/query' access.log | grep 'addressBookIds'
  • Monitor for unexpected or unauthorized access tokens or session anomalies that could indicate session token theft.
Mitigation Strategies

The immediate and most effective mitigation is to upgrade Group-Office to a fixed version. The vulnerability is patched in versions 6.8.158, 25.0.92, and 26.0.17.

Until the upgrade can be applied, consider restricting access to the JMAP Contact/query endpoint to only trusted users or IP addresses, and monitor for suspicious activity.

Additionally, review and tighten user permissions to limit who has basic addressbook access, as any authenticated user with this access can exploit the vulnerability.

If possible, temporarily disable or restrict the use of the JMAP Contact/query endpoint to prevent exploitation.

Compliance Impact

The vulnerability allows an authenticated user with basic addressbook access to extract arbitrary data from the database, including active session tokens of other users, enabling full account takeover without knowing passwords.

This can lead to unauthorized access to sensitive personal data such as passwords, emails, private addressbooks, calendars, notes, and files.

Such unauthorized data exposure and account takeover can result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, this vulnerability poses a significant risk to compliance with these standards by compromising confidentiality, integrity, and availability of protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart