CVE-2026-27832 is a SQL Injection vulnerability classified under CWE-89 affecting Intermesh Group-Office, an enterprise CRM and groupware platform. The vulnerability exists in versions prior to 26.0.8, 25.0.87, and 6.8.153. It is triggered via the 'advancedQueryData' parameter's 'comparator' field on the authenticated endpoint 'index.php?r=email/template/emailSelection'. This endpoint processes the 'advancedQueryData' input and incorporates the 'comparator' value directly into SQL query construction without enforcing a strict allowlist or proper sanitization. Consequently, an attacker with authenticated access but low privileges can craft malicious input to perform blind boolean-based SQL injection attacks. This technique allows the attacker to infer data from the database by observing true/false responses, enabling exfiltration of sensitive information such as password hashes stored in the 'core_auth_password' table. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v4.0 score of 7.1 reflects high severity due to network attack vector, low attack complexity, no required privileges beyond authentication, and high impact on confidentiality. No public exploits have been reported yet, but the vulnerability's nature and affected data make it a significant risk. The issue is resolved in Group-Office versions 26.0.8, 25.0.87, and 6.8.153, which implement proper input validation and sanitization to prevent injection.

The primary impact of CVE-2026-27832 is unauthorized disclosure of sensitive data, notably password hashes from the 'core_auth_password' table, which could lead to credential compromise and further system infiltration. Successful exploitation undermines confidentiality and potentially integrity if attackers leverage stolen credentials for privilege escalation or lateral movement. Given Group-Office's role in managing customer relationships and internal communications, data leakage could expose sensitive business information, client data, and internal workflows, resulting in reputational damage, regulatory penalties, and operational disruption. The vulnerability requires only authenticated access with low privileges, increasing risk within organizations where user accounts may be compromised or insider threats exist. The lack of user interaction and network accessibility facilitate remote exploitation. Although availability impact is limited, the breach of sensitive authentication data can lead to broader security incidents, including account takeover and persistent unauthorized access. Organizations globally using affected versions face significant risks until patched.

To mitigate CVE-2026-27832, organizations should immediately upgrade Group-Office installations to versions 26.0.8, 25.0.87, or 6.8.153 where the vulnerability is fixed. If immediate patching is not feasible, restrict access to the vulnerable endpoint by implementing strict network segmentation and access controls, limiting authenticated user permissions to the minimum necessary. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'advancedQueryData' parameter, especially the 'comparator' field. Conduct thorough audits of user accounts to identify and disable any unauthorized or dormant accounts that could be leveraged for exploitation. Monitor application logs for anomalous query patterns or repeated failed attempts indicative of blind SQL injection probing. Additionally, enforce multi-factor authentication to reduce the risk of compromised credentials being used to exploit the vulnerability. Finally, review and enhance input validation and sanitization practices in custom integrations or extensions of Group-Office to prevent similar injection flaws.