Cyber Resilience

CVE-2026-33755

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33755 is a high-severity SQL Injection (CWE-89) vulnerability in Intermesh Group-Office. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33755 is an authenticated SQL injection vulnerability (CWE-89) in Group-Office, an enterprise customer relationship management and groupware tool. The issue resides in the JMAP `Contact/query` endpoint and affects versions prior to 6.8.158, 25.0.92, and 26.0.17. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity and privileges.

Any authenticated user with basic addressbook access can exploit the vulnerability to extract arbitrary data from the database, including active session tokens belonging to other users. This capability enables full account takeover of any target user, including the System Administrator, without requiring their password.

The vulnerability is addressed in Group-Office versions 6.8.158, 25.0.92, and 26.0.17. Additional details on the issue and remediation are available in the security advisory at https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qc.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from…

more

the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authenticated SQLi in web app (Group-Office) directly enables remote exploitation of public-facing application for data access (T1190); extraction of session tokens from DB enables web session cookie theft (T1539); resulting arbitrary account impersonation enables use of valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27832Same product: Intermesh Group-Office
CVE-2026-34838Same product: Intermesh Group-Office
CVE-2026-27947Same product: Intermesh Group-Office
CVE-2026-29198Shared CWE-89
CVE-2019-25347Shared CWE-89
CVE-2025-0063Shared CWE-89
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

intermesh
group-office
≤ 6.8.158 · 25.0.1 — 25.0.92 · 26.0.1 — 26.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to the JMAP Contact/query endpoint to prevent SQL injection exploitation.

prevent

Mandates timely identification, reporting, and patching of the SQLi flaw fixed in Group-Office versions 6.8.158, 25.0.92, and 26.0.17.

prevent

Vulnerability scanning detects the SQLi in the application, enabling remediation before exploitation leads to data extraction and account takeover.

References