CVE-2026-7689
Deferred Deferred - Pending Action
Improper Cryptographic Signature Verification in Dolibarr ERP CRM

Publication date: 2026-05-03

Last updated on: 2026-05-05

Assigner: VulDB

Description
A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-03
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7689
EUVD
EUVD-2026-26827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dolibarr dolibarr_erp_crm to 23.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7689 is an authentication bypass vulnerability in the Dolibarr ERP/CRM Online Signature module. It affects the function dol_verifyHash in the security library, where the cryptographic signature verification is improperly implemented. Specifically, when the system's online signature security token is empty or misconfigured and the MAIN_SECURITY_HASH_ALGO is set to password_hash, attackers can forge digital signatures on documents such as proposals, contracts, or interventions.

The vulnerability arises because the dol_verifyHash function delegates validation to PHP's password_verify() without incorporating the system-wide secret, allowing attackers to generate valid bcrypt hashes offline. By creating a predictable hash from known document details and using it in the securekey parameter, attackers can bypass authentication and mark documents as signed without authorization.

Impact Analysis

This vulnerability allows unauthenticated attackers to forge digital signatures on important documents within the Dolibarr ERP/CRM system. As a result, attackers can falsely mark proposals, contracts, or interventions as signed without proper authorization.

The impact includes compromising the integrity and authenticity of legal and financial records, potentially leading to unauthorized approvals, fraud, and loss of trust in the system's document management.

Detection Guidance

This vulnerability can be detected by checking if the Dolibarr ERP/CRM Online Signature module is using an empty or misconfigured security token and if the configuration parameter MAIN_SECURITY_HASH_ALGO is set to password_hash.

Detection involves verifying the presence of the vulnerable dol_verifyHash function behavior and monitoring for suspicious requests that include the securekey parameter with forged hashes.

A practical approach is to look for HTTP requests targeting the signature API endpoints with unusual or forged securekey values.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic and filter for requests containing the 'securekey' parameter.
  • On the server, inspect the Dolibarr configuration file for the MAIN_SECURITY_HASH_ALGO setting to confirm if it is set to 'password_hash'.
  • Check the security token configuration to ensure it is not empty.
  • Example command to search for suspicious securekey usage in web server logs: grep -i 'securekey=' /var/log/apache2/access.log
Mitigation Strategies

Immediate mitigation requires ensuring that the security token used by the Online Signature module is not empty and properly configured.

Additionally, the hash verification logic in the dol_verifyHash function should be modified to prevent bypass by not relying solely on PHP's password_verify without incorporating the system-wide secret.

If possible, update Dolibarr ERP/CRM to a version later than 23.0.2 where this vulnerability is addressed.

  • Set a non-empty, strong security token in the configuration.
  • Change the MAIN_SECURITY_HASH_ALGO setting to a more secure algorithm that does not allow offline hash forgery.
  • Monitor and block suspicious requests attempting to exploit the securekey parameter.
  • If a patch or update is available from the vendor or community, apply it immediately.
Compliance Impact

This vulnerability allows unauthenticated attackers to forge digital signatures on important documents such as proposals, contracts, or interventions. By bypassing authentication and marking documents as signed without authorization, the integrity and authenticity of legal and financial records are compromised.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require ensuring the integrity, authenticity, and non-repudiation of sensitive and legally binding data. The ability to forge signatures undermines trust in document authenticity and may lead to violations of data protection and audit requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart