Critical insecure deserialization RCE fixed in Group-Office
TL;DR — Group-Office deserializes attacker-controlled settings with PHP unserialize(), enabling a low-privileged authenticated user to write a web shell and reach server-side RCE.
What happened
Group-Office is an enterprise CRM and groupware platform that includes user-configurable system/module settings.
CVE-2026-34838 describes a critical (CVSS v3.1 10.0) insecure deserialization issue in the AbstractSettingsCollection model: when settings are loaded, values prefixed with serialized: are passed to PHP unserialize() without class validation (the advisory specifically notes the lack of allowed_classes => false). The advisory states an authenticated attacker can inject a serialized GuzzleHttp\Cookie\FileCookieJar object into a setting, and then leverage its behavior to achieve arbitrary file write, which “leads directly to Remote Code Execution (RCE) on the server.”
This matters because deserialization sinks paired with gadget chains in bundled dependencies (here, guzzlehttp/guzzle) routinely turn “configuration data handling” into a full application compromise path in server-side PHP stacks.
Who is impacted
- Any deployment of
Intermesh/groupofficein the affected version ranges. - The attacker model is authenticated with low privileges (per CVSS
PR:L), so environments with broad user access are higher risk.
| Component | Affected versions (per CVE record) | Patched versions (per CVE record) |
|---|---|---|
Intermesh/groupoffice | < 6.8.156 | 6.8.156 |
Intermesh/groupoffice | < 25.0.90 | 25.0.90 |
Intermesh/groupoffice | < 26.0.12 | 26.0.12 |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
-
"This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12."
-
- Inventory where Group-Office is deployed (including self-hosted instances) and determine which version track you are on (e.g.,
6.8.x,25.0.x,26.0.x) to map to the correct patched release line. - Treat this as a likely web-shell / arbitrary file write scenario in incident response: if compromise is suspected, investigate for unexpected writable-path artifacts (e.g., newly created
.phpfiles) and follow your standard credential/secret rotation process for the affected service.
Additional Information
- GitHub advisory with technical details and impact description:
https://github.com/Intermesh/groupoffice/security/advisories/GHSA-h22j-frrf-5vxq - Release tags referenced by the CVE record:
https://github.com/Intermesh/groupoffice/releases/tag/v6.8.156,https://github.com/Intermesh/groupoffice/releases/tag/v25.0.90,https://github.com/Intermesh/groupoffice/releases/tag/v26.0.12
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.