Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Dolibarr ERP CRM to version 23.0.2 or later, where the vulnerability has been fixed.

The fix involves correcting the authorization checks in the Leave Request API to ensure proper hierarchy and object-level access control.

Until the upgrade can be applied, consider restricting API access to trusted users only and monitoring API usage for suspicious access patterns.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-10215 is a security vulnerability in Dolibarr ERP CRM up to version 23.0.1, specifically in the Leave Request REST API component. It involves improper authorization in the function checkUserAccessToObject, allowing a low-privileged user to bypass access controls.

The vulnerability allows an attacker to access leave request details of other employees via the API, even though the web user interface correctly restricts such access. This happens because the API performs weaker object-level authorization checks compared to the web UI, passing only a numeric ID and bypassing hierarchy-based permission checks.

The root cause is inconsistent access control enforcement between the API and the web UI, leading to unauthorized disclosure of sensitive leave data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as leave schedules, approver details, and other business data of employees.

An attacker with limited permissions can exploit the API remotely to access data they should not be authorized to see, potentially enabling social engineering attacks or further exploitation within the organization.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the Leave Request REST API for improper authorization. Specifically, by attempting to access leave request details of other users via the API endpoints such as /api/index.php/holidays/{id} using a low-privileged user account.

A practical detection method involves creating two test accounts: one victim user and one attacker with limited permissions. Using the attacker account, send API requests to access leave requests of other users and observe if unauthorized data is returned.

Example command using curl to test unauthorized access:

• curl -H "Authorization: Bearer <attacker_token>" https://<dolibarr_instance>/api/index.php/holidays/8

If the response returns leave request details for an ID that the attacker should not have access to, the vulnerability is present.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Dolibarr ERP CRM allows unauthorized horizontal data access via the Leave Request API, enabling a low-privileged user to read leave request data of other ordinary users within the same entity.

This unauthorized disclosure of sensitive employee leave information could lead to violations of data privacy principles found in regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.

Because the API bypasses proper authorization checks that are enforced in the Web UI, this inconsistency increases the risk of data exposure, potentially impacting compliance with standards that mandate confidentiality and proper authorization mechanisms.

Upgrading to version 23.0.2, which includes a fix for this issue, is recommended to restore proper access controls and help maintain compliance with such regulations.

Useful 0 Not Useful 0