CVE-2026-58376
Received Received - Intake

SQL Injection in Dolibarr ERP/CRM

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: VulnCheck

Description
Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58376
EUVD
EUVD-2026-40363

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
dolibarr dolibarr to 23.0.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58376 is a SQL injection vulnerability in Dolibarr versions up to 23.0.3 affecting multiple REST API list endpoints. The issue arises because the vulnerable endpoints use an outdated method to validate the sqlfilters parameter, which only checks for balanced parentheses but allows malicious SQL code, such as appended UNION SELECT statements, to be injected into the SQL WHERE clause unmodified.

This flaw enables authenticated API users, even those with low privileges, to exfiltrate arbitrary database contents including sensitive data like password hashes and API keys by supplying crafted malicious input to the sqlfilters parameter.

The vulnerability exists in four specific API endpoints related to setup dictionaries and multicurrencies, where the legacy validation method concatenates unmatched text directly into SQL queries without proper sanitization.

Impact Analysis

This vulnerability can allow an authenticated API user to perform unauthorized data exfiltration from the Dolibarr database.

  • Attackers can retrieve sensitive information such as user password hashes.
  • API keys stored in the database can also be exposed.
  • The breach of such sensitive data can lead to further compromise of the system and unauthorized access.
Detection Guidance

This vulnerability can be detected by monitoring API requests to the affected Dolibarr REST API endpoints for suspicious usage of the sqlfilters parameter, especially attempts to inject SQL clauses such as UNION SELECT.

Specifically, look for authenticated API calls to the following endpoints with unusual sqlfilters values:

  • /api/index.php/setup/dictionary/regions
  • /api/index.php/setup/dictionary/incoterms
  • /api/index.php/setup/dictionary/vatrates
  • /api/index.php/multicurrencies

You can use network monitoring tools or web server logs to filter requests containing the sqlfilters parameter with suspicious patterns such as unbalanced or appended SQL keywords.

Example commands to detect suspicious requests in web server logs (assuming Apache logs):

  • grep -i 'sqlfilters' /var/log/apache2/access.log | grep -E 'UNION|SELECT|--|;|\bOR\b|\bAND\b'
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'sqlfilters'

Additionally, checking for unusual database queries or error logs related to these endpoints might help identify exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Dolibarr to a version that includes the fix from commit 14db36e or later.

The fix replaces the insecure legacy SQL filter validation method with a hardened function that properly validates and sanitizes the sqlfilters parameter, preventing SQL injection.

If upgrading immediately is not possible, consider restricting access to the affected API endpoints to trusted users only, and monitor for suspicious activity on these endpoints.

Also, review and limit API user permissions, especially for multicurrency read permissions, to reduce the risk of exploitation.

Finally, apply web application firewall (WAF) rules to detect and block SQL injection patterns targeting the sqlfilters parameter.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart