CVE-2026-34838

CRITICAL

Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`

Title source: cna

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.

Exploits (1)

nomisec WORKING POC
by bamuwe · poc
https://github.com/bamuwe/CVE-2026-34838

References (4)

Scores

CVSS v3 9.9
EPSS 0.0069
EPSS Percentile 71.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (4)
intermesh/group-office < 6.8.156
Intermesh/groupoffice < 25.0.90
Intermesh/groupoffice < 26.0.12
Intermesh/groupoffice < 6.8.156
Published Apr 02, 2026
Tracked Since Apr 03, 2026