Executive Summary

CVE-2026-34036 is a Local File Inclusion (LFI) vulnerability in Dolibarr ERP/CRM software versions 22.0.4 and earlier. It exists in the AJAX endpoint /core/ajax/selectobject.php, where the parameter objectdesc is manipulated to include arbitrary files.

The vulnerability arises because the code includes files based on the objectdesc parameter before performing access control checks. The access control function restrictedArea() is called after the file inclusion attempt, and due to a fail-open logic flaw, it can be bypassed when certain conditions are met.

An authenticated user with minimal privileges can exploit this flaw to read arbitrary non-PHP files on the server, such as .env, .htaccess, configuration backups, or logs. Including PHP files causes a fatal error but does not lead to code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with any authenticated user account to read sensitive files on the server that should normally be protected.

• Exposure of environment variables (.env files) which may contain database credentials or API keys.
• Access to configuration files like .htaccess that could reveal server settings.
• Reading backup files or logs that may contain sensitive information or clues for further attacks.

Such information disclosure can facilitate further exploitation, data breaches, or unauthorized access to other parts of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the Local File Inclusion (LFI) in the Dolibarr AJAX endpoint `/core/ajax/selectobject.php` by sending crafted HTTP GET requests with manipulated parameters.

Specifically, an authenticated user can send a request targeting the `objectdesc` parameter to include arbitrary non-PHP files such as `.env` or `.htaccess` and observe if the file contents are returned in the HTTP response.

• Authenticate to Dolibarr with any user account.
• Send a crafted GET request like: `GET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0`

If the server responds with the contents of the specified file before a PHP fatal error, the vulnerability is present.

A Python script proof of concept exists to automate login and file extraction, which can be adapted for detection purposes.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access and applying input validation to prevent exploitation of the vulnerable file inclusion.

• Ensure that only authenticated users with proper privileges can access the `/core/ajax/selectobject.php` endpoint.
• Implement strict input validation or whitelisting on the `objectdesc` parameter or the underlying `$classpath` variable to prevent arbitrary file inclusion.
• Modify the access control logic in the `restrictedArea()` function to deny access explicitly when the features parameter is empty, preventing fail-open behavior.
• If possible, apply the official patch which sanitizes the class path input, restricts inclusion to `.class.php` files, and enforces stricter access control checks.

Until a patch is applied, consider monitoring and restricting user accounts to minimize risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with minimal privileges to read arbitrary non-PHP files on the server, potentially exposing sensitive data such as environment variables, configuration files, logs, and database dumps.

Exposure of such sensitive information can lead to unauthorized disclosure of personal or protected data, which may violate data protection regulations like GDPR or HIPAA that require safeguarding of confidential information.

Therefore, this vulnerability could negatively impact compliance with these standards by enabling unauthorized access to sensitive data stored on the server.

Useful 0 Not Useful 0