CVE-2026-25511 Overview
CVE-2026-25511 is a Server-Side Request Forgery (SSRF) vulnerability affecting Group-Office, an enterprise customer relationship management and groupware tool. An authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts and ports. The vulnerability is particularly severe because the SSRF response body can be exfiltrated via the built-in debug system, transforming it into a visible SSRF that also enables full server-side file read capabilities.
Critical Impact
Authenticated administrators can access internal network resources, read arbitrary server-side files, and exfiltrate sensitive data through the WOPI service discovery endpoint and debug system.
Affected Products
- Group-Office versions prior to 6.8.150
- Group-Office versions prior to 25.0.82
- Group-Office versions prior to 26.0.5
Discovery Timeline
- 2026-02-04 - CVE-2026-25511 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-25511
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the WOPI (Web Application Open Platform Interface) service discovery functionality within Group-Office. WOPI is commonly used for document editing integration, and the service discovery mechanism allows the application to locate and communicate with external services.
The vulnerability allows authenticated administrators to manipulate the WOPI service discovery URL to target arbitrary internal or external hosts and ports. What makes this SSRF particularly dangerous is the ability to retrieve response bodies through the application's built-in debug system, effectively upgrading a blind SSRF into a full read SSRF.
Beyond network-based attacks, the vulnerability also enables arbitrary file read on the server, allowing attackers to access sensitive configuration files, credentials, and other protected data stored on the system.
Root Cause
The root cause stems from insufficient validation of user-supplied URLs in the WOPI service discovery implementation. The application fails to properly restrict the target of outbound HTTP requests initiated through the WOPI discovery mechanism, allowing users with administrative privileges to specify arbitrary URLs. Combined with the debug functionality that exposes response content, this creates a complete SSRF exploitation chain.
Attack Vector
The attack requires network access and authentication with System Administrator privileges. An attacker with these credentials can:
- Access the WOPI service discovery configuration interface
- Supply a malicious URL pointing to internal services or local files
- Trigger the WOPI discovery request from the server
- Use the built-in debug system to retrieve and exfiltrate the response body
The SSRF can be leveraged to scan internal networks, access cloud metadata endpoints (such as AWS IMDSv1), interact with internal APIs, or read sensitive files from the server filesystem.
Detection Methods for CVE-2026-25511
Indicators of Compromise
- Unusual outbound HTTP requests from the Group-Office server to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254
- Abnormal access to the WOPI service discovery configuration by administrator accounts
- Debug system activity correlated with external URL requests
Detection Strategies
- Monitor web application logs for WOPI-related configuration changes or unusual discovery URL patterns
- Implement network monitoring to detect outbound requests from the Group-Office server to unexpected internal destinations
- Review administrator account activity for suspicious access to WOPI settings or debug functionality
- Deploy web application firewall rules to detect SSRF payload patterns in request parameters
Monitoring Recommendations
- Enable detailed logging for the WOPI service discovery module and debug system access
- Configure alerts for outbound HTTP requests from the Group-Office server to RFC1918 private address ranges
- Implement egress filtering to restrict outbound connections from the application server
- Regularly audit administrator account permissions and activity
How to Mitigate CVE-2026-25511
Immediate Actions Required
- Upgrade Group-Office to patched versions 6.8.150, 25.0.82, or 26.0.5 immediately
- Review and restrict accounts with System Administrator privileges to trusted personnel only
- Audit recent administrator activity for potential exploitation attempts
- Implement network segmentation to limit impact of potential SSRF exploitation
Patch Information
Intermesh has released security patches addressing this vulnerability in versions 6.8.150, 25.0.82, and 26.0.5. The fix is available through the GitHub Commit Reference. Organizations should review the GitHub Security Advisory GHSA-r9v4-jm2r-r9pm for complete details.
Workarounds
- Restrict access to the WOPI service discovery configuration to only essential personnel
- Disable the WOPI integration entirely if document editing features are not required
- Implement egress firewall rules to block outbound connections from the Group-Office server to internal networks and sensitive endpoints
- Disable or restrict access to the debug system functionality until patches can be applied
# Example: Restrict outbound connections from Group-Office server using iptables
# Block requests to internal networks and cloud metadata endpoints
iptables -A OUTPUT -d 10.0.0.0/8 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -m owner --uid-owner www-data -j DROP
iptables -A OUTPUT -d 169.254.169.254 -m owner --uid-owner www-data -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
