<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Composer/Egroupware/Egroupware (&lt; 23.1.20260224) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/composer/egroupware/egroupware--23.1.20260224/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 13:12:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/composer/egroupware/egroupware--23.1.20260224/feed.xml" rel="self" type="application/rss+xml"/><item><title>EGroupware Critical RCE Vulnerability (CVE-2026-27823)</title><link>https://feed.craftedsignal.io/briefs/2026-07-egroupware-rce/</link><pubDate>Tue, 07 Jul 2026 13:12:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-egroupware-rce/</guid><description>A critical remote code execution vulnerability (CVE-2026-27823) in EGroupware allows an authenticated attacker, or an unauthenticated attacker if self-registration is enabled, to execute arbitrary commands on the server by combining an authorization bypass, arbitrary file write via path traversal, and arbitrary file read, leading to full system compromise.</description><content:encoded><![CDATA[<p>A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-27823, has been discovered in EGroupware, an open-source collaboration suite. This flaw allows an authenticated attacker to execute arbitrary code on the underlying server. In environments where user self-registration is enabled, the vulnerability can be exploited by an unauthenticated attacker, significantly broadening its impact. Discovered by Huong Kieu of Cenobe Security, the vulnerability stems from a chain of weaknesses: an improper authorization check in the <code>SmallPartMediaRecorder::ajax_upload()</code> function, which can be bypassed via crafted request data, an arbitrary file write due to path traversal, and a separate arbitrary file read vulnerability in <code>importexport_export_ui::download</code>. By combining these, attackers can overwrite critical PHP files, inject malicious code, and achieve full system compromise. The vulnerability affects <code>composer/egroupware/egroupware</code> versions prior to <code>23.1.20260224</code> and versions <code>26.0.20251208</code> through <code>26.1.20260223</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Authentication Bypass</strong>: An attacker, potentially unauthenticated if self-registration is enabled, crafts a POST request to <code>/egroupware/json.php</code> targeting the <code>SmallPartMediaRecorder::ajax_upload()</code> function.</li>
<li><strong>Authorization Bypass</strong>: The crafted request includes a manipulated JSON body with <code>participant_role</code> set to <code>3</code> (ROLE_TEACHER), bypassing the <code>isTeacher</code> check intended to restrict file uploads.</li>
<li><strong>Arbitrary File Write</strong>: Following the authorization bypass, the attacker exploits a path traversal vulnerability via the <code>video_type</code> parameter to write an arbitrary file to a controlled path, such as <code>./header.inc.php</code>.</li>
<li><strong>Arbitrary File Read</strong>: A separate vulnerability is exploited by making a GET request to <code>/egroupware/index.php?menuaction=importexport.importexport_export_ui.download</code> with a malicious <code>_filename</code> parameter (e.g., <code>../../../usr/share/egroupware/header.inc.php</code>) to read the original content of the target file.</li>
<li><strong>Code Injection Preparation</strong>: The attacker combines the original <code>header.inc.php</code> content with injected PHP code (e.g., a webshell or administrative credential modification logic) to preserve file validity and ensure continued server operation.</li>
<li><strong>Remote Code Execution</strong>: The attacker overwrites <code>header.inc.php</code> using the arbitrary file write vulnerability with the crafted content, leading to Remote Code Execution when the file is subsequently loaded by the web server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-27823 leads to critical consequences, including full system compromise and complete takeover of the EGroupware instance. Attackers can gain arbitrary remote code execution on the server, allowing them to install backdoors, exfiltrate sensitive data, manipulate or destroy data, or pivot to other systems within the network. This could result in significant data breaches, operational disruption, and reputational damage for affected organizations. The ability to modify administrative setup passwords further enables persistent control over the EGroupware application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-27823 immediately</strong>: Upgrade EGroupware <code>composer/egroupware/egroupware</code> to version <code>23.1.20260224</code> or <code>26.2.20260224</code> to mitigate CVE-2026-27823.</li>
<li><strong>Disable user self-registration</strong>: If not strictly necessary, disable user self-registration in EGroupware to reduce the attack surface for unauthenticated exploitation of CVE-2026-27823.</li>
<li><strong>Deploy the Sigma rules in this brief</strong>: Integrate the provided Sigma rules into your SIEM to detect attempts at exploiting the authorization bypass, arbitrary file write, and arbitrary file read components of CVE-2026-27823.</li>
<li><strong>Enable webserver logging</strong>: Ensure comprehensive logging for your EGroupware web server (access logs, error logs) to capture HTTP requests including method, URI, query parameters, and POST body details, which are critical for activating the detection rules.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>RCE</category><category>web-vulnerability</category><category>egroupware</category><category>php</category><category>critical</category><category>exploit</category></item></channel></rss>