Group-Office WOPI Service SSRF and Local File Read Vulnerability (CVE-2026-25511)

Key Information Vulnerability Overview Vulnerability Name: SSRF and File Read in WOPI service discovery Severity: High (8.2/10) CVE ID: CVE-2026-25511 Affected Versions: 6.8, 25.0, 26.0 Fixed Versions: 6.8.150, 25.0.82, 26.0.5 Vulnerability Details Vulnerability Type: - SSRF (Server-Side Request Forgery) - Local file read Scope of Impact: - Any Group-Office deployment where users can create or update WOPI services. Attack Impact: - The server may be forced to access internal services or metadata endpoints. - With debugging enabled, attackers can read HTTP response bodies, leading to data leakage from internal services or files. Vulnerability Details Issue Description: - The WOPI service model performs outbound HTTP requests during validation, using user-controlled URLs. - stores user input without validation or whitelist checks. - calls to initiate or modify a URL. - performs the following: - follows redirects and accepts any URL. - The suffix can be bypassed using URL fragments. - When is sent, Group-Office enables debugging, and responses can be retrieved via . Vulnerability Reproduction Prerequisites: - User account within the System Administrator group Steps: 1. Authenticate and obtain an access token. 2. Trigger SSRF and retrieve the response. 3. Trigger file read and retrieve the response. Examples: - Authenticate and obtain access token: - Trigger SSRF: - Trigger file read: Expected Result: - The returned response includes debug entries containing the , , and of the SSRF target.

Goal Reached Thanks to every supporter — we hit 100%!

Group-Office WOPI Service SSRF and Local File Read Vulnerability (CVE-2026-25511)

More from this source