Description
A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the checkUserAccessToObject function within the Leave Request REST API (api_holidays.class.php) of Dolibarr ERP CRM. The flaw allows an attacker to bypass authorization controls and obtain data to which they should not have access. The issue is classified under CWE-266 and CWE-285, indicating a misconfiguration of privilege management. If exploited, the attacker could read or manipulate leave request information for users without proper clearance.

Affected Systems

Dolibarr ERP CRM versions up to and including 23.0.1 are affected. The component is the Leave Request REST API, which relies on the api_holidays.class.php file. Upgrading to 23.0.2 or later resolves the issue, as the patch commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73 has been applied.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability at a medium severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The vulnerability can be triggered from a remote interface, and the exploit has been publicly disclosed, increasing the likelihood of real-world attacks. Given the remote nature and the public disclosure, administrators should treat this as a functional issue that could enable unauthorized data access.

Generated by OpenCVE AI on June 1, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dolibarr ERP CRM to version 23.0.2 or later, which includes the patch commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73.
  • Disable or restrict the Leave Request REST API endpoints for unauthenticated users to ensure only authorized API calls are processed.
  • Apply network firewall or reverse‑proxy controls to limit remote API access to trusted IP ranges or authenticated sessions.

Generated by OpenCVE AI on June 1, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
Title Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
First Time appeared Dolibarr
Dolibarr erp Crm
Weaknesses CWE-266
CWE-285
CPEs cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr
Dolibarr erp Crm
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dolibarr Erp Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T02:15:09.249Z

Reserved: 2026-05-31T07:32:35.727Z

Link: CVE-2026-10215

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T03:16:25.300

Modified: 2026-06-01T03:16:25.300

Link: CVE-2026-10215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T04:00:11Z

Weaknesses