CVE-2026-34838
Received Received - Intake
Insecure Deserialization in Group-Office Enables Remote Code Execution

Publication date: 2026-04-02

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34838
EUVD
EUVD-2026-18532
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
intermesh group-office to 6.8.156 (exc)
intermesh group-office From 25.0.1 (inc) to 25.0.90 (exc)
intermesh group-office From 26.0.1 (inc) to 26.0.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-34838 allows an authenticated attacker to achieve arbitrary file write and remote code execution on the server hosting Group-Office. This leads to a complete compromise of the server's confidentiality, integrity, and availability within the web application context.

Such a severe compromise can result in unauthorized access to sensitive personal or health data managed by the application, potentially violating data protection regulations like GDPR and HIPAA that require strict controls over data confidentiality and integrity.

Therefore, if exploited, this vulnerability could cause non-compliance with these common standards and regulations due to the risk of data breaches, unauthorized data manipulation, and service disruption.

Impact Analysis

This vulnerability allows any authenticated user with low privileges to fully compromise the server running Group-Office. By exploiting the insecure deserialization, an attacker can write arbitrary files, such as a PHP web shell, to the server.

This leads to full remote code execution, meaning the attacker can execute any code on the server, compromising the confidentiality, integrity, and availability of the system and its data.

The impact is severe and critical, with a CVSS v3 base score of 9.9, indicating a high risk of exploitation over the network with low complexity and low privileges required.

Executive Summary

CVE-2026-34838 is a critical vulnerability in the Group-Office PHP application caused by insecure deserialization in the AbstractSettingsCollection model. When settings are loaded, if a setting string starts with the prefix 'serialized:', the application unserializes it without restricting allowed classes. An authenticated attacker can inject a specially crafted serialized FileCookieJar object into a setting string, which leads to arbitrary file write on the server.

This arbitrary file write allows the attacker to deploy a PHP web shell, resulting in remote code execution (RCE) on the server. The vulnerability arises because the FileCookieJar class has a destructor method that writes cookies to a file when the object is destroyed, enabling the attacker to write malicious PHP code to the server filesystem.

This issue affects versions prior to 6.8.156, 25.0.90, and 26.0.12 and has been patched in these versions.

Detection Guidance

This vulnerability involves unsafe deserialization in the AbstractSettingsCollection model of Group-Office, which can be exploited by injecting a serialized FileCookieJar object into a setting string. Detection would involve checking for suspicious or unauthorized changes to settings, especially those involving serialized data in the go_settings database table.

Since the attack targets the legacy HTTP endpoint index.php?r=core/saveSetting, monitoring HTTP requests to this endpoint for unusual payloads or serialized objects could help detect exploitation attempts.

Commands to detect potential exploitation might include:

  • Inspect the go_settings database table for suspicious serialized strings, especially those starting with 'serialized:' and containing FileCookieJar objects.
  • Use web server logs to search for POST requests to 'index.php?r=core/saveSetting' with unusual payloads.
  • Example command to search web server logs (assuming Apache):
  • grep 'index.php?r=core/saveSetting' /var/log/apache2/access.log | grep POST
  • Query the database (example for MySQL) to find suspicious serialized settings:
  • SELECT * FROM go_settings WHERE value LIKE 'serialized:%';
Mitigation Strategies

The primary mitigation step is to upgrade Group-Office to a patched version where this vulnerability is fixed. The patched versions are 6.8.156, 25.0.90, and 26.0.12.

Until the upgrade can be applied, consider restricting access to the vulnerable endpoint 'index.php?r=core/saveSetting' to trusted users only, and monitor for suspicious activity.

Additionally, review and audit settings stored in the go_settings database table for any suspicious serialized data and remove or reset them if necessary.

Implement network-level protections such as web application firewalls (WAF) to detect and block malicious payloads targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart