CVE-2026-10215 Dolibarr CVE debrief

Who should care

Organizations running Dolibarr ERP CRM versions 23.0.1 or earlier with the Leave Request REST API enabled; security teams monitoring for authenticated API authorization weaknesses; HR and workforce management administrators relying on leave request data confidentiality

Technical summary

The vulnerability exists in the `checkUserAccessToObject` function of `htdocs/holiday/class/api_holidays.class.php` in Dolibarr ERP CRM versions through 23.0.1. The function fails to properly validate user authorization for leave request objects, enabling an authenticated remote attacker to access or manipulate leave request data belonging to other users. The attack requires low privileges and no user interaction, with network-based exploitation possible. The CVSS 4.0 score of 2.1 reflects limited confidentiality impact. Remediation is available through upgrade to version 23.0.2.

Defensive priority

medium

Recommended defensive actions

• Upgrade Dolibarr ERP CRM to version 23.0.2 or later to obtain the authorization fix
• Verify the patch commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73 is applied if running custom builds
• Review Leave Request API access logs for anomalous authenticated access patterns from 2026-06-01 onward
• Restrict network access to the Leave Request REST API endpoints to trusted sources where feasible
• Monitor for unauthorized leave request data access by authenticated users with low privilege levels

Evidence notes

Vulnerability confirmed via official CVE record and NVD entry published 2026-06-01. Patch commit and fixed release version verified through Dolibarr GitHub repository. Public exploit documentation identified in GitHub user attachments. Vendor attribution derived from reference domain analysis with low confidence; product name not explicitly confirmed in source metadata.

Official resources