Compliance Impact

CVE-2026-22666 is a high-severity authenticated remote code execution vulnerability in Dolibarr ERP/CRM that allows attackers with administrator privileges to execute arbitrary code on the server. This can lead to unauthorized access to sensitive data such as admin API keys, password hashes, and emails stored in the system.

Because Dolibarr ERP/CRM is often used to manage business and customer data, exploitation of this vulnerability could result in data breaches or unauthorized data manipulation. Such incidents may violate data protection regulations like GDPR or HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and ensure system integrity.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by potentially exposing sensitive data and undermining the confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22666 is a high-severity authenticated remote code execution (RCE) vulnerability in Dolibarr ERP/CRM versions prior to 23.0.2. It exists in the dol_eval_standard() function, which is responsible for validating PHP expressions before they are evaluated. The function fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax.

Attackers with administrator privileges can exploit this flaw by injecting malicious payloads through computed extrafields or other evaluation paths. They use PHP dynamic callable syntax to bypass validation and execute arbitrary code via the eval() function.

The vulnerability arises because whitelist mode ignores forbidden string checks and uses an insufficient regex that fails to detect dynamic function calls, allowing dangerous classes to be instantiated and arbitrary OS commands to be executed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with administrator privileges to execute arbitrary PHP code and operating system commands on the server running Dolibarr ERP/CRM.

• Full remote code execution with administrative privileges.
• Creation of arbitrary files on the server by instantiating dangerous classes like SplFileObject.
• Reading sensitive data from the database, including admin API keys, password hashes, and emails, by abusing Dolibarr’s ORM classes combined with whitelisted functions.
• Potential complete compromise of the affected system, leading to data theft, service disruption, or further attacks.

Useful 0 Not Useful 0

Detection Guidance

Detection of CVE-2026-22666 involves identifying attempts to exploit the authenticated remote code execution vulnerability in Dolibarr ERP/CRM versions prior to 23.0.2. Since the exploit requires administrator privileges and involves injecting malicious PHP expressions into computed extrafields, detection can focus on monitoring administrative actions and evaluating suspicious extrafield updates.

Specifically, detection can include:

• Monitoring API or web requests that update or create computed extrafields with suspicious PHP code payloads, especially those containing dynamic callable syntax like ('exec')('command').
• Checking logs for administrator logins followed by extrafield modifications.
• Inspecting web server or application logs for requests to pages that trigger evaluation of extrafields, such as "/societe/list.php".

Suggested commands for detection might include:

• Using grep or similar tools on Dolibarr logs to find extrafield updates containing suspicious patterns: grep -i "('exec')" /path/to/dolibarr/logs/*
• Monitoring web server access logs for POST requests to extrafield administration endpoints.
• Checking for unexpected file creations or modifications on the server filesystem that could result from exploitation (e.g., files created via SplFileObject).

Since the vulnerability requires authenticated administrator access, ensuring that administrator credentials are not compromised is also critical.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade Dolibarr ERP/CRM to version 23.0.2 or later, where the vulnerability has been fixed.

Additional immediate steps include:

• Restrict administrator access to trusted personnel only, as exploitation requires administrator privileges.
• Review and monitor computed extrafields for suspicious or unauthorized PHP code.
• If upgrading immediately is not possible, consider disabling or restricting the use of computed extrafields or the eval functionality, if feasible.
• Audit and rotate administrator credentials to prevent unauthorized access.

The patch applied in version 23.0.2 includes enhanced input sanitization in the dol_eval_standard() function, blocking forbidden strings and patterns, detecting PHP comment syntax, and enforcing stricter whitelist checks to prevent code injection.

Useful 0 Not Useful 0