CVE-2026-34838
Insecure Deserialization in Group-Office Enables Remote Code Execution
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intermesh | group-office | to 6.8.156 (exc) |
| intermesh | group-office | From 25.0.1 (inc) to 25.0.90 (exc) |
| intermesh | group-office | From 26.0.1 (inc) to 26.0.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows any authenticated user with low privileges to fully compromise the server running Group-Office. By exploiting the insecure deserialization, an attacker can write arbitrary files, such as a PHP web shell, to the server.
This leads to full remote code execution, meaning the attacker can execute any code on the server, compromising the confidentiality, integrity, and availability of the system and its data.
The impact is severe and critical, with a CVSS v3 base score of 9.9, indicating a high risk of exploitation over the network with low complexity and low privileges required.
Can you explain this vulnerability to me?
CVE-2026-34838 is a critical vulnerability in the Group-Office PHP application caused by insecure deserialization in the AbstractSettingsCollection model. When settings are loaded, if a setting string starts with the prefix 'serialized:', the application unserializes it without restricting allowed classes. An authenticated attacker can inject a specially crafted serialized FileCookieJar object into a setting string, which leads to arbitrary file write on the server.
This arbitrary file write allows the attacker to deploy a PHP web shell, resulting in remote code execution (RCE) on the server. The vulnerability arises because the FileCookieJar class has a destructor method that writes cookies to a file when the object is destroyed, enabling the attacker to write malicious PHP code to the server filesystem.
This issue affects versions prior to 6.8.156, 25.0.90, and 26.0.12 and has been patched in these versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe deserialization in the AbstractSettingsCollection model of Group-Office, which can be exploited by injecting a serialized FileCookieJar object into a setting string. Detection would involve checking for suspicious or unauthorized changes to settings, especially those involving serialized data in the go_settings database table.
Since the attack targets the legacy HTTP endpoint index.php?r=core/saveSetting, monitoring HTTP requests to this endpoint for unusual payloads or serialized objects could help detect exploitation attempts.
Commands to detect potential exploitation might include:
- Inspect the go_settings database table for suspicious serialized strings, especially those starting with 'serialized:' and containing FileCookieJar objects.
- Use web server logs to search for POST requests to 'index.php?r=core/saveSetting' with unusual payloads.
- Example command to search web server logs (assuming Apache):
- grep 'index.php?r=core/saveSetting' /var/log/apache2/access.log | grep POST
- Query the database (example for MySQL) to find suspicious serialized settings:
- SELECT * FROM go_settings WHERE value LIKE 'serialized:%';
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Group-Office to a patched version where this vulnerability is fixed. The patched versions are 6.8.156, 25.0.90, and 26.0.12.
Until the upgrade can be applied, consider restricting access to the vulnerable endpoint 'index.php?r=core/saveSetting' to trusted users only, and monitor for suspicious activity.
Additionally, review and audit settings stored in the go_settings database table for any suspicious serialized data and remove or reset them if necessary.
Implement network-level protections such as web application firewalls (WAF) to detect and block malicious payloads targeting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-34838 allows an authenticated attacker to achieve arbitrary file write and remote code execution on the server hosting Group-Office. This leads to a complete compromise of the server's confidentiality, integrity, and availability within the web application context.
Such a severe compromise can result in unauthorized access to sensitive personal or health data managed by the application, potentially violating data protection regulations like GDPR and HIPAA that require strict controls over data confidentiality and integrity.
Therefore, if exploited, this vulnerability could cause non-compliance with these common standards and regulations due to the risk of data breaches, unauthorized data manipulation, and service disruption.