Description
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
Published: 2026-05-30
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Dolibarr ERP CRM’s messaging.php function allows an attacker to manipulate the ID parameter in web requests, bypassing the normal authorization checks that protect user messages. This improper access control (CWE‑285) and user‑controlled key bypass (CWE‑639) enable the attacker to read or modify messages belonging to other users, potentially exposing private communications or facilitating further attacks within the application.

Affected Systems

Dolibarr ERP CRM releases 23.0.0, 23.0.1, and 23.0.2 are vulnerable. The flaw was fixed in version 23.0.3 by correcting the validation logic in the messaging module; upgrading to this or any newer release removes the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 marks the issue as moderate severity. An attacker can exploit it remotely by sending crafted HTTP requests that alter the ID argument. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited yet. Nevertheless, because the bug escalates privileges within the application, it should be remediated promptly.

Generated by OpenCVE AI on May 31, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Dolibarr instances to version 23.0.3 or newer to apply the vendor‑supplied patch.
  • Verify that the messaging.php endpoint enforces role‑based access controls so that only authorized users can view or modify messages.
  • If immediate upgrading is not possible, temporarily restrict external access to messaging.php via firewall or application routing until the patch can be applied.
  • Monitor application logs for anomalous ID values or repeated access attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on May 31, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
Title Dolibarr ERP CRM messaging.php authorization
First Time appeared Dolibarr
Dolibarr erp Crm
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr erp Crm
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Dolibarr Erp Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-30T23:00:13.659Z

Reserved: 2026-05-30T05:52:24.717Z

Link: CVE-2026-10154

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T00:16:33.527

Modified: 2026-05-31T00:16:33.527

Link: CVE-2026-10154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T01:00:14Z

Weaknesses