CVE-2026-33755

HighPublic PoC

Published: 27 March 2026

Published

27 March 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33755 is a high-severity SQL Injection (CWE-89) vulnerability in Intermesh Group-Office. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of inputs to the JMAP Contact/query endpoint to prevent SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the SQLi flaw fixed in Group-Office versions 6.8.158, 25.0.92, and 26.0.17.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Vulnerability scanning detects the SQLi in the application, enabling remediation before exploitation leads to data extraction and account takeover.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Authenticated SQLi in web app (Group-Office) directly enables remote exploitation of public-facing application for data access (T1190); extraction of session tokens from DB enables web session cookie theft (T1539); resulting arbitrary account impersonation enables use of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from…

the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

Deeper analysisAI

CVE-2026-33755 is an authenticated SQL injection vulnerability (CWE-89) in Group-Office, an enterprise customer relationship management and groupware tool. The issue resides in the JMAP `Contact/query` endpoint and affects versions prior to 6.8.158, 25.0.92, and 26.0.17. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

Any authenticated user with basic addressbook access can exploit the vulnerability to extract arbitrary data from the database, including active session tokens belonging to other users. This capability enables full account takeover of any target user, including the System Administrator, without requiring their password.

The vulnerability is addressed in Group-Office versions 6.8.158, 25.0.92, and 26.0.17. Additional details on the issue and remediation are available in the security advisory at https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc.