CVE-2026-22666
Authenticated Remote Code Execution in Dolibarr dol_eval_standard
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolibarr | dolibarr_erp/crm | to 23.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22666 is a high-severity authenticated remote code execution (RCE) vulnerability in Dolibarr ERP/CRM versions prior to 23.0.2. It exists in the dol_eval_standard() function, which is responsible for validating PHP expressions before they are evaluated. The function fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax.
Attackers with administrator privileges can exploit this flaw by injecting malicious payloads through computed extrafields or other evaluation paths. They use PHP dynamic callable syntax to bypass validation and execute arbitrary code via the eval() function.
The vulnerability arises because whitelist mode ignores forbidden string checks and uses an insufficient regex that fails to detect dynamic function calls, allowing dangerous classes to be instantiated and arbitrary OS commands to be executed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-22666 is a high-severity authenticated remote code execution vulnerability in Dolibarr ERP/CRM that allows attackers with administrator privileges to execute arbitrary code on the server. This can lead to unauthorized access to sensitive data such as admin API keys, password hashes, and emails stored in the system.
Because Dolibarr ERP/CRM is often used to manage business and customer data, exploitation of this vulnerability could result in data breaches or unauthorized data manipulation. Such incidents may violate data protection regulations like GDPR or HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and ensure system integrity.
Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations by potentially exposing sensitive data and undermining the confidentiality, integrity, and availability of the system.
How can this vulnerability impact me? :
This vulnerability allows an attacker with administrator privileges to execute arbitrary PHP code and operating system commands on the server running Dolibarr ERP/CRM.
- Full remote code execution with administrative privileges.
- Creation of arbitrary files on the server by instantiating dangerous classes like SplFileObject.
- Reading sensitive data from the database, including admin API keys, password hashes, and emails, by abusing Dolibarrβs ORM classes combined with whitelisted functions.
- Potential complete compromise of the affected system, leading to data theft, service disruption, or further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-22666 involves identifying attempts to exploit the authenticated remote code execution vulnerability in Dolibarr ERP/CRM versions prior to 23.0.2. Since the exploit requires administrator privileges and involves injecting malicious PHP expressions into computed extrafields, detection can focus on monitoring administrative actions and evaluating suspicious extrafield updates.
Specifically, detection can include:
- Monitoring API or web requests that update or create computed extrafields with suspicious PHP code payloads, especially those containing dynamic callable syntax like ('exec')('command').
- Checking logs for administrator logins followed by extrafield modifications.
- Inspecting web server or application logs for requests to pages that trigger evaluation of extrafields, such as "/societe/list.php".
Suggested commands for detection might include:
- Using grep or similar tools on Dolibarr logs to find extrafield updates containing suspicious patterns: grep -i "('exec')" /path/to/dolibarr/logs/*
- Monitoring web server access logs for POST requests to extrafield administration endpoints.
- Checking for unexpected file creations or modifications on the server filesystem that could result from exploitation (e.g., files created via SplFileObject).
Since the vulnerability requires authenticated administrator access, ensuring that administrator credentials are not compromised is also critical.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Dolibarr ERP/CRM to version 23.0.2 or later, where the vulnerability has been fixed.
Additional immediate steps include:
- Restrict administrator access to trusted personnel only, as exploitation requires administrator privileges.
- Review and monitor computed extrafields for suspicious or unauthorized PHP code.
- If upgrading immediately is not possible, consider disabling or restricting the use of computed extrafields or the eval functionality, if feasible.
- Audit and rotate administrator credentials to prevent unauthorized access.
The patch applied in version 23.0.2 includes enhanced input sanitization in the dol_eval_standard() function, blocking forbidden strings and patterns, detecting PHP comment syntax, and enforcing stricter whitelist checks to prevent code injection.