CVE-2026-11619
Received Received - Intake
Improper Authorization in Dolibarr ERP CRM

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulDB

Description
A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-11619
EUVD
EUVD-2026-35294
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dolibarr erp_crm to 23.0.2 (inc)
dolibarr erp_crm 23.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Dolibarr ERP CRM software up to version 23.0.2, specifically in the Legacy Filemanager component within the file config.inc.php. It is caused by improper authorization checks, allowing unauthorized users to access the filemanager functionality remotely.

The issue was fixed by adding permission checks to ensure that only users with administrative privileges or explicit write permissions on the website module can access the filemanager. If the user lacks these permissions, access is denied with an error message.

Impact Analysis

This vulnerability can allow unauthorized remote users to access and potentially manipulate files through the Legacy Filemanager component of Dolibarr ERP CRM. Such unauthorized access could lead to data exposure, unauthorized modifications, or other security breaches within the affected system.

Detection Guidance

This vulnerability involves improper authorization in the Legacy Filemanager component of Dolibarr ERP CRM, specifically in the file htdocs/core/filemanagerdol/connectors/php/config.inc.php. Detection would involve verifying if unauthorized users can access or manipulate the filemanager functionality.

Since the vulnerability allows remote exploitation due to missing permission checks, you can attempt to detect it by checking access permissions and attempting to access the filemanager endpoints without proper administrative or write permissions.

Suggested commands or steps to detect the vulnerability might include:

  • Using curl or similar tools to send requests to the filemanager endpoints (e.g., htdocs/core/filemanagerdol/connectors/php/config.inc.php) without authentication or with low-privilege credentials to see if access is granted.
  • Reviewing web server logs for unusual or unauthorized access attempts to the filemanager paths.
  • Checking the Dolibarr user permissions to confirm if the permission checks for the filemanager are properly enforced.

Note: The exact commands are not provided in the available resources.

Mitigation Strategies

The primary and sufficient mitigation step is to upgrade Dolibarr ERP CRM to version 23.0.3 or later, where this vulnerability has been fixed.

The fix includes adding permission checks in the filemanager component to ensure only users with administrative privileges or explicit write permissions on the website module can access it.

Until the upgrade can be applied, restrict access to the vulnerable filemanager endpoints and review user permissions to limit exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11619. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart