CVE-2026-22243: Typecast Catastrophe: The EGroupware JSON-to-SQL Pipeline

#security #cve #cybersecurity

Typecast Catastrophe: The EGroupware JSON-to-SQL Pipeline

Vulnerability ID: CVE-2026-22243
CVSS Score: 8.7
Published: 2026-01-28

A high-severity SQL injection vulnerability in EGroupware's Nextmatch widget allows authenticated attackers to manipulate database queries via JSON type juggling. By leveraging PHP's strict integer handling against a database's implicit casting, attackers can bypass quoting mechanisms and potentially exfiltrate sensitive data or modify records.

TL;DR

EGroupware trusted JSON integers to be safe. They weren't. By sending native integers in a JSON payload, attackers bypass input sanitization that expects strings, injecting unquoted values directly into SQL queries. This allows for database type confusion and unauthorized data access.

Technical Details

CWE ID: CWE-89 (SQL Injection)
Attack Vector: Network (Authenticated)
CVSS Score: 8.7 (High)
Exploit Status: No Public PoC
Root Cause: PHP Type Juggling / JSON Decoding
Affected Component: Nextmatch Filter Widget

Affected Systems

EGroupware Community Edition
EGroupware EPL (Enterprise)
EGroupware: < 23.1.20260113 (Fixed in: 23.1.20260113)
EGroupware: < 26.0.20260113 (Fixed in: 26.0.20260113)

Mitigation Strategies

Update EGroupware core immediately
Enforce strict type casting in custom Nextmatch filters
Review WAF logs for anomalous JSON numeric values in filter parameters

Remediation Steps:

Identify EGroupware installation directory.
Check current version via Admin >> Applications or header.inc.php.
If version < 23.1.20260113, execute upgrade via package manager (apt-get update && apt-get install egroupware-docker) or docker-compose pull.
Verify the update by checking the setup/admin page.