CVE-2026-33755

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.158 Group-Office versions prior to 25.0.92 Group-Office versions prior to 26.0.17

Description Group-Office is an enterprise customer relationship management and groupware tool. An authenticated SQL Injection vulnerability exists in the JMAP Contact/query endpoint. This allows any authenticated user with basic addressbook access to extract arbitrary data from the database, including active session tokens of other users. Successful exploitation enables full account takeover of any user, including the System Administrator, without knowing their password. The vulnerability affects the Contact/query API endpoint and allows access to data through SQL injection via the JMAP interface.

Recommendations Update Group-Office to version 6.8.158. Update Group-Office to version 25.0.92. Update Group-Office to version 26.0.17.