CVE-2026-27832 is a SQL Injection vulnerability classified under CWE-89 affecting Intermesh Group-Office, a CRM and groupware platform. The flaw exists in versions prior to 26.0.8, 25.0.87, and 6.8.153, specifically in the handling of the `advancedQueryData` parameter's `comparator` field within the authenticated endpoint `index.php?r=email/template/emailSelection`. This parameter is used to build SQL conditions but lacks a strict allowlist or proper sanitization, allowing attackers to inject malicious SQL code. The injection is blind boolean-based, meaning attackers can infer data by sending crafted queries and observing application behavior without direct error messages. The vulnerability enables exfiltration of sensitive data, notably from the `core_auth_password` table, which likely contains password hashes or authentication credentials. Exploitation requires authentication but no user interaction or elevated privileges beyond that. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, no user interaction, and high impact on confidentiality. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to the sensitive nature of the data accessible and the ease of exploitation once authenticated. Fixed versions 26.0.8, 25.0.87, and 6.8.153 address the issue by implementing proper input validation and allowlisting to prevent injection.

This vulnerability can lead to unauthorized disclosure of sensitive authentication data, including password hashes, potentially enabling attackers to escalate privileges or compromise user accounts. Organizations using vulnerable Group-Office versions risk data breaches affecting customer and internal user information, undermining confidentiality and trust. The blind boolean-based SQLi allows attackers to extract data stealthily, increasing the risk of prolonged undetected compromise. Since Group-Office is used for CRM and groupware functions, exposure of sensitive business communications and client data is possible, impacting business operations and compliance with data protection regulations. The requirement for authentication limits exposure to some extent but does not eliminate risk, especially in environments with weak or compromised credentials. The vulnerability could also be leveraged as a foothold for further internal network attacks or lateral movement. Overall, the impact is high due to the sensitivity of the data and the potential for significant operational and reputational damage.

Organizations should immediately upgrade Group-Office to versions 26.0.8, 25.0.87, or 6.8.153 or later to apply the official patches. Until patching is possible, restrict access to the affected endpoint to trusted users and monitor authentication logs for suspicious activity. Implement strong authentication policies, including multi-factor authentication, to reduce the risk of credential compromise. Conduct regular audits of user privileges to ensure least privilege principles are enforced. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the `advancedQueryData` parameter. Review and harden input validation mechanisms in custom deployments or integrations with Group-Office. Additionally, monitor network traffic and database logs for unusual query patterns indicative of blind SQL injection attempts. Educate administrators and users about the risks of credential reuse and phishing to prevent initial authentication compromise. Finally, maintain regular backups and incident response plans to quickly recover from potential breaches.