CVE-2026-10154 Dolibarr CVE debrief

Who should care

Organizations running Dolibarr ERP CRM versions 23.0.0 through 23.0.2, particularly those with externally accessible instances or multi-user deployments where messaging functionality is utilized. System administrators and security teams responsible for maintaining Dolibarr installations should prioritize patching.

Technical summary

The vulnerability resides in htdocs/user/messaging.php within Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2. An unspecified function fails to properly validate or enforce authorization checks on the ID parameter, allowing an attacker to manipulate this argument and bypass intended access controls. The attack can be launched remotely over the network. The CVSS 4.0 score of 5.3 (MEDIUM) reflects network attack vector, low attack complexity, required low privileges, and low confidentiality impact with no integrity or availability impact. The fix in commit 119b3606c7a701747a57a1f18b1a9e7666f678e2 addresses the improper authorization logic.

Defensive priority

medium

Recommended defensive actions

• Upgrade Dolibarr ERP CRM to version 23.0.3 or later to remediate this authorization bypass vulnerability.
• If immediate patching is not feasible, restrict network access to the htdocs/user/messaging.php endpoint and implement additional access controls at the network or application layer.
• Monitor access logs for unusual requests to htdocs/user/messaging.php with manipulated ID parameters, particularly from unauthenticated or low-privileged sessions.
• Review user permission configurations to ensure least-privilege access is enforced throughout the Dolibarr instance.

Evidence notes

Vulnerability affects Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. Fix available in version 23.0.3 via commit 119b3606c7a701747a57a1f18b1a9e7666f678e2. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Weaknesses: CWE-285, CWE-639.

Official resources