CVE-2026-11619
Deferred Deferred - Pending Action

Improper Authorization in Dolibarr ERP CRM

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulDB

Description
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-11619
EUVD
EUVD-2026-35294

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dolibarr erp_crm to 23.0.2 (inc)
dolibarr erp_crm 23.0.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Dolibarr ERP CRM software up to version 23.0.2, specifically in the Legacy Filemanager component within the file config.inc.php. It is caused by improper authorization checks, allowing unauthorized users to access the filemanager functionality remotely.

The issue was fixed by adding permission checks to ensure that only users with administrative privileges or explicit write permissions on the website module can access the filemanager. If the user lacks these permissions, access is denied with an error message.

Impact Analysis

This vulnerability can allow unauthorized remote users to access and potentially manipulate files through the Legacy Filemanager component of Dolibarr ERP CRM. Such unauthorized access could lead to data exposure, unauthorized modifications, or other security breaches within the affected system.

Detection Guidance

This vulnerability involves improper authorization in the Legacy Filemanager component of Dolibarr ERP CRM, specifically in the file htdocs/core/filemanagerdol/connectors/php/config.inc.php. Detection would involve verifying if unauthorized users can access or manipulate the filemanager functionality.

Since the vulnerability allows remote exploitation due to missing permission checks, you can attempt to detect it by checking access permissions and attempting to access the filemanager endpoints without proper administrative or write permissions.

Suggested commands or steps to detect the vulnerability might include:

  • Using curl or similar tools to send requests to the filemanager endpoints (e.g., htdocs/core/filemanagerdol/connectors/php/config.inc.php) without authentication or with low-privilege credentials to see if access is granted.
  • Reviewing web server logs for unusual or unauthorized access attempts to the filemanager paths.
  • Checking the Dolibarr user permissions to confirm if the permission checks for the filemanager are properly enforced.

Note: The exact commands are not provided in the available resources.

Mitigation Strategies

The primary and sufficient mitigation step is to upgrade Dolibarr ERP CRM to version 23.0.3 or later, where this vulnerability has been fixed.

The fix includes adding permission checks in the filemanager component to ensure only users with administrative privileges or explicit write permissions on the website module can access it.

Until the upgrade can be applied, restrict access to the vulnerable filemanager endpoints and review user permissions to limit exposure.

Compliance Impact

The vulnerability in Dolibarr ERP CRM involves improper authorization allowing unauthorized access to the legacy filemanager component. This could potentially lead to unauthorized access to sensitive data managed within the system.

Such unauthorized access risks may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to prevent data breaches.

By allowing unauthorized users to access or manipulate files, the vulnerability could lead to exposure or alteration of protected data, thereby violating confidentiality and integrity requirements mandated by these standards.

The patch introduced permission checks ensuring only administrators or users with explicit write permissions can access the filemanager, which helps restore compliance by enforcing proper authorization controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11619. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart