CVE-2026-10154
Received Received - Intake
Authorization Bypass in Dolibarr ERP CRM

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-05-31
AI Q&A
2026-05-31
EPSS Evaluated
N/A
NVD
CVE-2026-10154
EUVD
EUVD-2026-33474
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dolibarr erp_crm 23.0.0
dolibarr erp_crm 23.0.1
dolibarr erp_crm 23.0.2
dolibarr erp_crm From 23.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability allows an attacker to bypass authorization controls remotely by manipulating the ID parameter. This could lead to unauthorized access to sensitive messaging functions or data within the Dolibarr ERP CRM system.

Such unauthorized access may compromise the confidentiality of information, potentially exposing private communications or business data.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Dolibarr ERP CRM to version 23.0.3, which includes the patch fixing the authorization bypass issue.

This upgrade addresses the vulnerability found in versions 23.0.0, 23.0.1, and 23.0.2 by applying the patch identified by commit 119b3606c7a701747a57a1f18b1a9e7666f678e2.


Can you explain this vulnerability to me?

This vulnerability exists in Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 within an unknown function in the file htdocs/user/messaging.php. It involves manipulation of the argument ID, which leads to an authorization bypass, allowing an attacker to gain unauthorized access or perform actions they should not be permitted to do. The attack can be executed remotely.

The issue is fixed by upgrading to Dolibarr version 23.0.3, which includes a patch identified by commit 119b3606c7a701747a57a1f18b1a9e7666f678e2.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the vulnerability in Dolibarr ERP CRM affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart