Skip to main content

Dolibarr ERP CRM EUVD-2026-33536

| CVE-2026-10215 LOW
Improper Authorization (CWE-285)
2026-06-01 VulDB GHSA-7fg5-vc77-69fp
PHP Authentication Bypass
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 01, 2026 - 03:22 NVD
MEDIUM LOW
CVSS changed
Jun 01, 2026 - 03:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
Jun 01, 2026 - 02:45 vuln.today
Analysis Generated
Jun 01, 2026 - 02:45 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.

AnalysisAI

Horizontal privilege escalation in Dolibarr ERP CRM through version 23.0.1 permits any authenticated low-privilege user to read other users' leave request records via the Leave Request REST API, with a publicly available proof-of-concept confirming exploitability. The flaw in checkUserAccessToObject within api_holidays.class.php (CWE-285, Improper Authorization) arises because the access control helper receives only an integer object ID rather than the full object, causing ownership validation to fail silently and return another user's confidential HR data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Dolibarr with valid low-privilege account
Delivery
Identify leave request record IDs via sequential integer enumeration
Exploit
Send REST API GET request to /api/index.php/holidays/{victim_id}
Execution
Authorization check receives only integer ID, ownership validation bypassed
Persist
API returns victim employee's leave request data
Impact
Repeat across ID range to harvest full workforce leave records
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Dolibarr account with at minimum Leave Request module read access - confirmed by CVSS PR:L (low privilege), meaning unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N places this firmly in the limited-impact tier: network-reachable, low complexity, no user interaction required, but gated behind a valid low-privilege account and yielding only confidentiality exposure with no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Dolibarr employee with a standard user account sends a series of GET requests to the Leave Request API endpoint (`/api/index.php/holidays/{id}`) incrementing the record ID to enumerate leave records belonging to other employees. Because `checkUserAccessToObject` receives only the integer ID and the ownership check fails to fire correctly, the API returns the target employee's leave dates, approval status, and associated metadata without raising an authorization error. …
Remediation Upgrade Dolibarr ERP CRM to version 23.0.2 or later, which incorporates the vendor-confirmed fix at commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73 (https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

EUVD-2026-33536 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy