CVE-2026-10154: Dolibarr ERP CRM Authorization Bypass in Messaging Module
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 contain an authorization bypass vulnerability in the user messaging module. An authenticated attacker can manipulate the ID parameter in htdocs/user/messaging.php to access or view information they should not have permission to see. The vulnerability requires valid login credentials but allows a logged-in user to circumvent access controls. Upgrading to version 23.0.3 resolves the issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-285, CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10154 is an authorization bypass flaw in Dolibarr's messaging functionality. The vulnerability stems from improper access control validation on the ID parameter within the messaging.php file. An attacker with valid credentials can modify the ID argument to retrieve or interact with messaging data belonging to other users or entities. The flaw is classified under CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), indicating the application fails to properly verify that the requesting user has legitimate access to the specified resource. Exploitation is straightforward given low attack complexity and requires only network access plus valid authentication.
Business impact
This vulnerability enables information disclosure within the ERP system. A disgruntled employee or contractor with legitimate access could view private messages, communications, or sensitive business data from other users without authorization. In multi-tenant or multi-department deployments, this could expose confidential inter-departmental communications, negotiations, or strategic discussions. The scope is limited to confidentiality impact; there is no data modification or system availability risk. However, for organizations handling regulatory compliance (HIPAA, GDPR, financial records), unauthorized access to messaging data may trigger compliance violations and breach notification requirements.
Affected systems
Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2 are affected. The vulnerability is present in the htdocs/user/messaging.php component. Version 23.0.3 and later contain the fix. Organizations running any of the three affected minor versions should prioritize patching. Users on versions prior to 23.0.0 or those already on 23.0.3+ are not impacted.
Exploitability
Exploitation requires valid Dolibarr user credentials; the attack cannot be performed anonymously. However, attack complexity is low—no special techniques, timing, or race conditions are needed. An attacker simply needs to modify the ID parameter in a messaging request (likely via URL manipulation or API call) to access another user's data. This makes the vulnerability practical for insider threats or compromised low-privilege accounts. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects that remote, unauthenticated exploitation is not possible, significantly lowering the overall risk score.
Remediation
The vendor has released version 23.0.3, which includes patch 119b3606c7a701747a57a1f18b1a9e7666f678e2, specifically addressing the authorization bypass. Upgrading to 23.0.3 or later is the authoritative fix. Organizations should plan an upgrade as part of their regular maintenance cycle. If immediate patching is not feasible, consider restricting access to the Dolibarr messaging module via network controls or firewall rules until the upgrade can be applied.
Patch guidance
Upgrade Dolibarr ERP CRM to version 23.0.3 or later. Verify against the official Dolibarr release notes and security advisories that version 23.0.3 is available in your deployment environment (self-hosted or cloud). Test the upgrade in a non-production environment first to ensure no disruption to dependent workflows or third-party integrations. The patch commit hash 119b3606c7a701747a57a1f18b1a9e7666f678e2 can be used to verify the fix has been applied if inspecting source code. For cloud-hosted instances, contact your Dolibarr provider to confirm automatic patching status.
Detection guidance
Monitor HTTP/API logs for suspicious ID parameter manipulation in requests to htdocs/user/messaging.php. Look for patterns where a single user account accesses messaging data for multiple different user IDs in a short time window. Review Dolibarr access logs for unauthorized messaging lookups. Implement application-level logging that captures which user accessed which messaging records and flag cross-user access attempts. If using a Web Application Firewall (WAF), create rules to alert on repeated ID parameter variations in messaging endpoints from the same source IP or user session.
Why prioritize this
Although the CVSS score of 4.3 (MEDIUM) reflects low business impact, the vulnerability is straightforward to exploit by any authenticated user and results in information disclosure. For organizations with sensitive communications or regulatory compliance requirements, unauthorized access to messaging data is a notable risk. This is not an emergency-priority patch, but it should be scheduled within normal maintenance windows ahead of more critical issues. Organizations with strict data governance should treat this as higher priority.
Risk score, explained
The CVSS 3.1 score of 4.3 is driven by: (1) Network accessibility (AV:N) and low attack complexity (AC:L) increase the base score, but (2) requirement for valid authentication (PR:L) significantly reduces exploitability, and (3) limited scope to confidentiality (C:L) with no integrity or availability impact further constrains the score. The result is a MEDIUM severity rating appropriate for an insider-threat or compromised-account scenario where unauthorized information disclosure is the primary concern.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid Dolibarr user credentials. An attacker must have a legitimate account and be logged in to manipulate the ID parameter in the messaging module. This limits risk to insider threats, compromised credentials, or users with intentionally granted but overly permissive accounts.
What if we have already patched to 23.0.3?
If your Dolibarr instance is running version 23.0.3 or later, this specific vulnerability is resolved. Verify your version in the Dolibarr settings or deployment documentation. If you are uncertain, check the patch commit hash against your installed version or contact your system administrator.
Does this vulnerability allow modification or deletion of messages?
No. The vulnerability is limited to authorization bypass for reading or viewing messages. There is no indication of integrity impact, meaning attackers cannot modify, delete, or create messages belonging to other users. The risk is confined to confidentiality—unauthorized disclosure of data that should be private.
Are there any known public exploits for CVE-2026-10154?
This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread public exploitation has been reported at this time. However, the simplicity of the exploit technique means it could be leveraged by any insider or attacker with valid credentials, so timely patching is still recommended.
This analysis is provided for informational purposes and represents SEC.co's interpretation of publicly available vulnerability data as of the publication date. CVSS scores, affected product versions, and patch details are based on vendor advisories and CVE records; users should verify all information against the official Dolibarr security announcement and release notes. This content does not constitute professional security advice or a guarantee of protection. Organizations must conduct their own risk assessment and testing before applying patches to production systems. SEC.co makes no warranties regarding the accuracy or completeness of this vulnerability analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController