CVE-2026-11619 - Vulnerability Details

- Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization

Description

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.

Published: 2026-06-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Legacy Filemanager component of Dolibarr ERP CRM in an unknown function of config.inc.php, allowing an attacker to bypass proper authorization checks. The misuse leads to improper authorization, potentially granting unauthorized users privileges of higher role. An attacker could perform actions normally restricted to administrators, such as creating, editing, or deleting records, which could compromise data integrity and confidentiality.

Affected Systems

Dolibarr ERP CRM versions up to 23.0.2 are affected. The issue is resolved in version 23.0.3, which contains the commit f1b2dd6481e22cacb561d29ffdcd3a50b618479d. All installations using the legacy file manager module and the mentioned file path are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity; the EPSS score is not available, and it is not listed in CISA KEV. The exploit is publicly available, and the description states that it can be initiated remotely, implying that an attacker who can access the web interface can exploit the flaw. The moderate severity suggests a meaningful risk, especially in environments with unrestricted access to the file manager.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dolibarr

ERP CRM

affected

Version	Status	Constraints
`23.0.0`	affected	—
`23.0.1`	affected	—
`23.0.2`	affected	—
`23.0.3`	unaffected	—

No data.

Vendor Product Confidence Versions

Dolibarr

Erp Crm

95%

Version	Status	Scheme	Platform
`23.0.0`	affected	semver	—
`23.0.1`	affected	semver	—
`23.0.2`	affected	semver	—
`23.0.3`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Dolibarr ERP CRM to version 23.0.3 or later to apply the official patch.
Restrict file permissions on htdocs/core/filemanagerdol/connectors/php/config.inc.php so that only trusted administrative processes can modify it.
Audit user accounts for unexpected elevated privileges and remove any that are unnecessary.
If the legacy file manager is not required, disable or remove it to reduce the attack surface.

Generated by OpenCVE AI on June 9, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3
https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d
https://vuldb.com/cve/CVE-2026-11619
https://vuldb.com/submit/834038
https://vuldb.com/vuln/369300
https://vuldb.com/vuln/369300/cti

History

Tue, 09 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.
Title		Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization
First Time appeared		Dolibarr Dolibarr erp Crm
Weaknesses		CWE-266 CWE-285
CPEs		cpe:2.3:a:dolibarr:erp_crm::::::::
Vendors & Products		Dolibarr Dolibarr erp Crm
References		https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3 https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d https://vuldb.com/cve/CVE-2026-11619 https://vuldb.com/submit/834038 https://vuldb.com/vuln/369300 https://vuldb.com/vuln/369300/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Dolibarr Erp Crm

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-09T02:30:12.759Z

Updated: 2026-06-09T14:50:39.911Z

Reserved: 2026-06-08T20:12:59.884Z

Link: CVE-2026-11619

Vulnrichment

Updated: 2026-06-09T14:48:30.392Z

NVD

Status : Deferred

Published: 2026-06-09T03:16:25.877

Modified: 2026-06-09T16:16:38.877

Link: CVE-2026-11619

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T04:30:42Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object