CVE-2026-34838 CRITICAL

CVE-2026-34838: Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`

Vendor Intermesh

Product groupoffice

Weakness CWE-502 · Unsafe deserialization

Published April 2, 2026

Last update April 3, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12.

Key dates

Disclosure timeline

April 2, 2026 CVE published

April 3, 2026 Record updated

Identifiers

CVE CVE-2026-34838

CWE CWE-502

CVSS 10.0 / CRITICAL

Affected versions

Vendor Intermesh

Product groupoffice

Affected < 6.8.156

Vendor Intermesh

Product groupoffice

Affected < 25.0.90

Vendor Intermesh

Product groupoffice

Affected < 26.0.12