Vulnerability Description
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Intermesh | Group-Office | < 6.8.156 |
Related Weaknesses (CWE)
References
- https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90Release Notes
- https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12Release Notes
- https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156Release Notes
- https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxqVendor Advisory
FAQ
What is CVE-2026-34838?
CVE-2026-34838 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to ins...
How severe is CVE-2026-34838?
CVE-2026-34838 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-34838?
Check the references section above for vendor advisories and patch information. Affected products include: Intermesh Group-Office.