Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data disclosure via authenticated local file inclusion
Action: Mitigate
AI Analysis

Impact

Dolibarr versions up to 22.0.4 contain a local file inclusion flaw in the AJAX endpoint core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail‑open condition in the restrictedArea() access‑control function, an authenticated user can read any non‑PHP file on the server, such as .env, .htaccess, configuration backups, or logs. This vulnerability falls under CWE‑98 and allows exposure of secrets, credentials, and configuration details, potentially compromising confidentiality of the entire system.

Affected Systems

The affected product is Dolibarr ERP/CRM, specifically versions 22.0.4 and earlier. No special privileges are required beyond standard authentication; any logged‑in user can trigger the inclusion. At the time of this publication, no official patch has been released by the vendor.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range, while the EPSS score of less than 1 % indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack vector is local but authenticated; a user must be able to log into the application and craft a request to core/ajax/selectobject.php with a carefully chosen objectdesc value. The exploit is straightforward once access is granted, but requires no additional privilege escalation.

Generated by OpenCVE AI on April 3, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Dolibarr vendor site or security advisories for an official patch or upgrade path and apply it as soon as available.
  • Restrict the permissions of the core/ajax/selectobject.php endpoint so that only trusted roles can access it.
  • Implement input validation or a web application firewall rule to block suspicious values for the objectdesc parameter.
  • Move sensitive files such as .env and backup configurations outside the web‑root directory and deny web access to those locations.

Generated by OpenCVE AI on April 3, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2mfj-r695-5h9r Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr dolibarr Erp\/crm
CPEs cpe:2.3:a:dolibarr:dolibarr_erp\/crm:*:*:*:*:*:*:*:*
Vendors & Products Dolibarr dolibarr Erp\/crm

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Dolibarr
Dolibarr dolibarr
Vendors & Products Dolibarr
Dolibarr dolibarr

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Title Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dolibarr Dolibarr Dolibarr Erp\/crm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T13:57:45.230Z

Reserved: 2026-03-25T15:29:04.744Z

Link: CVE-2026-34036

cve-icon Vulnrichment

Updated: 2026-03-31T13:57:07.139Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T03:15:57.710

Modified: 2026-04-03T16:54:36.280

Link: CVE-2026-34036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:46Z

Weaknesses