Vulnerability Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/query` endpoint allows any authenticated user with basic addressbook access to extract arbitrary data from the database — including active session tokens of other users. This enables full account takeover of any user, including the System Administrator, without knowing their password. Versions 6.8.158, 25.0.92, and 26.0.17 fix the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Intermesh | Group-Office | < 6.8.158 |
Related Weaknesses (CWE)
References
- https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gc4-5993-c2qcVendor AdvisoryExploit
FAQ
What is CVE-2026-33755?
CVE-2026-33755 is a vulnerability with a CVSS score of 8.8 (HIGH). Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP `Contact/qu...
How severe is CVE-2026-33755?
CVE-2026-33755 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33755?
Check the references section above for vendor advisories and patch information. Affected products include: Intermesh Group-Office.