CVE-2026-33755 is an authenticated SQL Injection vulnerability identified in the Intermesh Group-Office enterprise CRM and groupware software. The flaw resides in the JMAP Contact/query endpoint, which improperly neutralizes special elements in SQL commands, allowing an attacker with basic addressbook access to inject malicious SQL queries. This vulnerability enables extraction of arbitrary data from the backend database, including sensitive information such as active session tokens of other users. By leveraging these tokens, an attacker can perform full account takeover of any user, including the System Administrator, without needing their password. The vulnerability affects multiple major versions of Group-Office prior to 6.8.158, 25.0.92, and 26.0.17, which have addressed the issue in their respective patches. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no requirement for user interaction beyond authentication. Although exploitation requires valid credentials with minimal privileges, the ability to escalate to full administrative control makes this vulnerability particularly dangerous. No public exploits have been reported yet, but the vulnerability's nature suggests a high likelihood of exploitation once widely known. The flaw is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and critical injection weakness.

The impact of CVE-2026-33755 is severe for organizations using vulnerable versions of Group-Office. Attackers with basic authenticated access can extract sensitive data from the database, including session tokens, enabling full account takeover of any user, including administrators. This compromises the confidentiality of all stored data, the integrity of user accounts and system configurations, and the availability of services if attackers disrupt operations. The ability to impersonate administrators allows attackers to manipulate or exfiltrate critical business information, potentially leading to data breaches, regulatory non-compliance, and reputational damage. Since Group-Office is used for CRM and groupware functions, the compromise could affect communications, scheduling, and customer data, impacting business continuity. The vulnerability's ease of exploitation and the lack of need for user interaction increase the risk of rapid exploitation in targeted or opportunistic attacks.

To mitigate CVE-2026-33755, organizations should immediately upgrade Group-Office to versions 6.8.158, 25.0.92, or 26.0.17 or later, where the vulnerability is patched. Until upgrades can be applied, restrict access to the JMAP Contact/query endpoint by limiting authenticated user permissions and network access to trusted users only. Implement strict monitoring and logging of database queries and user activities to detect anomalous behavior indicative of SQL injection attempts or session token misuse. Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable endpoint. Conduct regular security assessments and penetration testing focused on authentication and injection vulnerabilities. Additionally, enforce strong authentication mechanisms and session management policies to reduce the risk of session token theft and reuse. Educate users about the importance of safeguarding credentials and promptly reporting suspicious activity.