{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34838", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T19:15:40.591Z", "dateUpdated": "2026-04-03T12:55:48.631Z"}, "containers": {"cna": {"title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.156", "status": "affected"}, {"version": "< 25.0.90", "status": "affected"}, {"version": "< 26.0.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:15:40.591Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."}], "source": {"advisory": "GHSA-h22j-frrf-5vxq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:55:40.674883Z", "id": "CVE-2026-34838", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:55:48.631Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34838", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.284Z", "datePublished": "2026-04-02T19:15:40.591Z", "dateUpdated": "2026-04-03T12:55:48.631Z"}, "containers": {"cna": {"title": "Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"}, {"name": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156", "tags": ["x_refsource_MISC"], "url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"}], "affected": [{"vendor": "Intermesh", "product": "groupoffice", "versions": [{"version": "< 6.8.156", "status": "affected"}, {"version": "< 25.0.90", "status": "affected"}, {"version": "< 26.0.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T19:15:40.591Z"}, "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."}], "source": {"advisory": "GHSA-h22j-frrf-5vxq", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34838", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:55:40.674883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:55:45.217Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."}], "id": "CVE-2026-34838", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T20:16:28.150", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90"}, {"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12"}, {"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156"}, {"source": "security-advisories@github.com", "url": "https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.8.156)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,25.0.90)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.0.12)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "groupoffice", "source": "cna", "vendor": "Intermesh"}, "product": "group-office", "vendor": "intermesh"}], "analysis": {"en": {"generated_at": "2026-04-02T22:19:28.787295+00:00", "value": {"mitigation_remediation": ["Apply the 6.8.156 or newer, 25.0.90 or newer, or 26.0.12 or newer patch to Group\u2011Office."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products are Intermesh Group\u2011Office. Versions prior to 6.8.156, 25.0.90, and 26.0.12 are vulnerable. All iterations of the Group\u2011Office release line that fall below those patch releases are impacted. Only these specific major/minor releases are listed; newer releases beyond the mentioned versions have the vulnerability already fixed.", "description_and_impact": "The vulnerability exists in the AbstractSettingsCollection model of Group\u2011Office. The model deserializes user\u2011supplied setting strings without proper validation, creating a classic insecure deserialization flaw (CWE\u2011502). By crafting a serialized FileCookieJar object and embedding it in a setting string, an attacker who has authenticated access to the application can cause the server to write arbitrary files to the file system. This writes on disk grant the attacker code execution from inside the application, allowing full compromise of the underlying web server and operating system.", "risk_and_exploitability": "The CVSS score of 10 indicates a critical severity. Although EPSS information is not available, the flaw permits remote code execution after authentication, making it a high\u2011risk asset for any company running Group\u2011Office without the latest patch. The vulnerability is not listed in the CISA KEV catalog at present, but the lack of exploitation data does not diminish the inherent risk. The attack vector is likely through authenticated user actions that manipulate configuration values; fraud or privileged user credentials would provide the necessary access. The path to compromise is straightforward once the flaw is triggered, which stresses the urgency of applying the patch."}}}}, "created": "2026-04-03T07:31:26.317779+00:00", "updated": "2026-04-03T09:16:21.848657+00:00", "vendors": ["intermesh", "intermesh$PRODUCT$group-office"]}