Primary

Context

Group-Office SQL Injection Vulnerability in JMAP Contact Query Endpoint Allowing Account Takeover

Vulnerability

Patched

A SQL injection vulnerability has been identified in Group-Office versions prior to 6.8.158, 25.0.92, and 26.0.17. This vulnerability exists in the JMAP 'Contact/query' endpoint, specifically within the 'addressBookIds' filter. It allows authenticated users with basic address book access to inject malicious SQL, extracting arbitrary data from the database. This includes active session tokens of other users, enabling full account takeover, even of the System Administrator, without requiring their password.

Impact

Exploitation of this vulnerability allows for SQL injection, leading to unauthorized data access and full account takeover of any user, including administrators.

Remediation

Users can upgrade to Group-Office versions 6.8.158, 25.0.92, or 26.0.17 to address this vulnerability.

Added: Mar 27, 2026, 3:42 PM

Updated: Mar 27, 2026, 3:42 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.3

remediation

7.7

relevance

4.8

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.0

exploitability

6.3

remediation

7.7

relevance

4.8

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Group-Office SQL Injection Vulnerability in JMAP Contact Query Endpoint Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

Intermesh Group-Office

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating