CVE-2026-34838

CRITICAL

Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-34838. PoCs published by adminlove520, bamuwe.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-34838, a PHP deserialization vulnerability in Group-Office. The exploit chains a GuzzleHttp CookieJar gadget to achieve arbitrary file write and RCE via a crafted serialized payload.

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-34838

This repository contains a functional exploit for CVE-2026-34838, a PHP deserialization vulnerability in Group-Office. The exploit chains a GuzzleHttp CookieJar gadget to achieve arbitrary file write and RCE via a crafted serialized payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Group-Office <= 25.0.89
Auth required
Prerequisites: valid credentials · access to the target application
devstral-2 · analyzed May 02, 2026 Full analysis →
nomisec WORKING POC
by bamuwe · poc
https://github.com/bamuwe/CVE-2026-34838

This repository contains a functional exploit for CVE-2026-34838, demonstrating an RCE vulnerability in Group-Office via PHP deserialization. The PoC constructs a malicious gadget chain using GuzzleHttp's FileCookieJar to achieve arbitrary file write and subsequent code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Group-Office <= 25.0.89
Auth required
Prerequisites: valid credentials for Group-Office · access to the target application
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.9
EPSS 0.0032
EPSS Percentile 55.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (4)
intermesh/group-office < 6.8.156
Intermesh/groupoffice < 25.0.90
Intermesh/groupoffice < 26.0.12
Intermesh/groupoffice < 6.8.156
Published Apr 02, 2026
Tracked Since Apr 03, 2026