CVE-2026-22243 in egroupware
Summary
by MITRE • 01/28/2026
EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/19/2026
The CVE-2026-22243 vulnerability represents a critical SQL injection flaw within the EGroupware web-based groupware server platform that affects versions prior to 23.1.20260113 and 26.0.20260113. This vulnerability specifically targets the core components of the application, particularly the Nextmatch filter processing functionality that handles database query construction. The flaw stems from a fundamental security oversight in how the application processes user input, creating an avenue for authenticated attackers to manipulate database queries through malicious input in the WHERE clause. The vulnerability demonstrates a classic weakness in input validation and sanitization that has been exploited in numerous similar security incidents throughout the industry.
The technical exploitation of this vulnerability relies on a PHP type juggling vulnerability that occurs during JSON decoding operations within the application's filter processing logic. When user-supplied data is processed through the Nextmatch filter system, the application employs an `is_int()` type check as a security measure to validate input parameters before incorporating them into database queries. However, the PHP type juggling behavior during JSON decoding converts numeric strings into integer values, effectively bypassing this security check. This bypass allows attackers to submit malicious input that appears as an integer to the application but contains SQL injection payloads that are executed against the underlying database. The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws, and demonstrates how improper input validation can create exploitable conditions even when basic type checking mechanisms are in place.
The operational impact of this vulnerability is significant for organizations relying on EGroupware for collaborative groupware services, as authenticated attackers can leverage this flaw to execute arbitrary database commands. Successful exploitation could result in unauthorized data access, data modification, or even complete database compromise depending on the privileges of the authenticated user. The vulnerability affects the core database interaction functionality of the application, potentially allowing attackers to extract sensitive information, modify user credentials, or manipulate business data. This type of vulnerability is particularly dangerous in web-based groupware environments where users often have elevated privileges and access to critical organizational data. The attack vector requires authentication, which limits the scope compared to unauthenticated vulnerabilities, but still represents a serious threat to data integrity and confidentiality.
Organizations using affected versions of EGroupware should immediately implement the patches released in versions 23.1.20260113 and 26.0.20260113 to remediate this vulnerability. The patch addresses the root cause by fixing the type validation logic in the Nextmatch filter processing to properly handle JSON-decoded values and prevent the bypass of security checks. Security administrators should also consider implementing additional monitoring and logging around database query execution to detect potential exploitation attempts. The vulnerability demonstrates the importance of proper input validation and the potential risks of relying on single-layer security mechanisms such as basic type checking. Organizations should review their application security practices to ensure that similar type juggling issues are not present in other components and consider implementing automated security testing that includes PHP-specific vulnerability scanning. This vulnerability aligns with ATT&CK technique T1190, which covers exploiting vulnerabilities in web applications, and highlights the need for comprehensive application security testing including both static and dynamic analysis approaches.