Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database - including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
AnalysisAI
Authenticated SQL injection in Group-Office's JMAP Contact/query endpoint allows any user with basic addressbook permissions to extract database contents, including active session tokens, enabling full account takeover of any user including System Administrators. Affects Group-Office versions before 6.8.158, 25.0.92, and 26.0.17. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit or active exploitation confirmed. Despite 8.8 CVSS score, real-world risk depends heavily on whether attackers can obtain valid low-privilege credentials first.
Technical ContextAI
Group-Office is an enterprise CRM and groupware platform from Intermesh. This vulnerability exploits a classic SQL injection weakness (CWE-89) in the JMAP (JSON Meta Application Protocol) API's Contact/query endpoint. JMAP is a modern JSON-based protocol for mail, calendars, and contacts. The vulnerable endpoint fails to properly sanitize user-supplied input in contact query operations, allowing SQL metacharacters to break out of the intended query context. Once injected, the attacker can use UNION-based or other SQL injection techniques to execute arbitrary SELECT statements against the application database. The severity stems from the database storing active PHP session tokens in plaintext or reversible format, and the endpoint being accessible to any authenticated user with basic addressbook module access-a default permission in most Group-Office deployments. The affected CPE (cpe:2.3:a:intermesh:groupoffice) covers the core application across three maintained version branches: legacy 6.8.x, current 25.0.x, and latest 26.0.x.
RemediationAI
Upgrade immediately to patched versions: Group-Office 6.8.158 (legacy branch), 25.0.92 (stable branch), or 26.0.17 (latest branch). Download patches from vendor GitHub repository or official distribution channels at https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc. No workaround exists that eliminates the vulnerability without patching. Temporary risk reduction measures with significant operational impact include: disable the JMAP Contact/query API endpoint entirely if not required for business operations (breaks contact search/sync functionality); restrict addressbook module access to only explicitly trusted users via Group-Office permission system (reduces attack surface but impairs collaboration features); implement Web Application Firewall rules to block common SQL injection patterns in JMAP requests to /api/jmap.php (prone to bypass and false positives); force immediate logout and regeneration of all active session tokens post-patching to invalidate any previously stolen credentials (causes user disruption but prevents exploitation of already-exfiltrated tokens). Monitor authentication logs for unusual contact query API activity or unexpected privilege escalations as potential indicators of exploitation attempts during the patching window.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16622