CVE-2026-34838 (GCVE-0-2026-34838)
Vulnerability from cvelistv5 – Published: 2026-04-02 19:15 – Updated: 2026-04-03 12:55
VLAI?
Title
Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`
Summary
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.
Severity ?
10 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intermesh | groupoffice |
Affected:
< 6.8.156
Affected: < 25.0.90 Affected: < 26.0.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34838",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T12:55:40.674883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T12:55:48.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "groupoffice",
"vendor": "Intermesh",
"versions": [
{
"status": "affected",
"version": "\u003c 6.8.156"
},
{
"status": "affected",
"version": "\u003c 25.0.90"
},
{
"status": "affected",
"version": "\u003c 26.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T19:15:40.591Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"
},
{
"name": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"
}
],
"source": {
"advisory": "GHSA-h22j-frrf-5vxq",
"discovery": "UNKNOWN"
},
"title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34838",
"datePublished": "2026-04-02T19:15:40.591Z",
"dateReserved": "2026-03-30T20:52:53.284Z",
"dateUpdated": "2026-04-03T12:55:48.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34838\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T20:16:28.150\",\"lastModified\":\"2026-04-03T16:10:23.730\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34838\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-03T12:55:40.674883Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-03T12:55:45.217Z\"}}], \"cna\": {\"title\": \"Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`\", \"source\": {\"advisory\": \"GHSA-h22j-frrf-5vxq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Intermesh\", \"product\": \"groupoffice\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.8.156\"}, {\"status\": \"affected\", \"version\": \"\u003c 25.0.90\"}, {\"status\": \"affected\", \"version\": \"\u003c 26.0.12\"}]}], \"references\": [{\"url\": \"https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq\", \"name\": \"https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90\", \"name\": \"https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12\", \"name\": \"https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156\", \"name\": \"https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-02T19:15:40.591Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34838\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-03T12:55:48.631Z\", \"dateReserved\": \"2026-03-30T20:52:53.284Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-02T19:15:40.591Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…