MEDIUM 4.3

CVE-2026-10215: Dolibarr Leave Request API Authorization Bypass

A flaw in Dolibarr ERP CRM's Leave Request REST API fails to properly check whether users have permission to access specific leave request objects. An authenticated attacker can remotely exploit this to view leave data they should not be able to see. The vulnerability affects versions up to 23.0.1, and Dolibarr has released version 23.0.2 as a fix. Because the exploit has been publicly disclosed, this poses an active risk despite its moderate CVSS score.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10215 is an improper authorization flaw in the checkUserAccessToObject function within htdocs/holiday/class/api_holidays.class.php of Dolibarr's Leave Request REST API. The authorization check fails to enforce proper access controls, allowing an authenticated user to read leave request records outside their authorization scope. The vulnerability is network-accessible and requires only valid authentication credentials (no elevated privileges needed). It affects confidentiality but not integrity or availability. Dolibarr addressed this in version 23.0.2 via commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73.

Business impact

Unauthorized disclosure of employee leave and time-off data could expose sensitive HR information, creating privacy and compliance risks. In regulated industries (healthcare, finance, government), exposure of leave schedules and patterns may trigger data protection obligations. The moderate CVSS score reflects that this is confidentiality-focused, but the public exploit disclosure and ease of exploitation (authenticated access only) increase operational risk. Organizations relying on Dolibarr for leave management should treat this as a near-term remediation priority.

Affected systems

Dolibarr ERP CRM versions up to and including 23.0.1 are affected. The vulnerability exists in the REST API's Leave Request module. Any deployment using this ERP/CRM system for leave request management is at risk if not patched. The API nature means the flaw may be exploited by any application or user holding valid API credentials or session authentication.

Exploitability

The vulnerability is easily exploitable. It requires only valid user authentication to trigger—no elevated privileges, special configuration, or complex interaction is needed. The attack is initiated remotely over the network via standard REST API calls. Because the exploit has been publicly disclosed, attackers have proof-of-concept information and the technical barrier to exploitation is very low. The combination of public disclosure and low exploitation complexity makes this an attractive target for both opportunistic and targeted attacks.

Remediation

Upgrade Dolibarr ERP CRM to version 23.0.2 or later. This version includes the authorization logic fix (commit ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73). Organizations unable to upgrade immediately should restrict API access to the Leave Request endpoint using network controls or WAF rules, limit authentication scope, and monitor API logs for unusual leave request queries. Verify the upgrade against the official Dolibarr advisory to confirm patch application.

Patch guidance

Apply Dolibarr version 23.0.2 or later. The fix is available in the official release; verify that your installed version's commit hash matches or supersedes ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Before patching production, test in a non-production environment to ensure compatibility with customizations or integrations. If you have deployed custom REST API endpoints or extensions that depend on the Leave Request API, review their logic post-patch to ensure they still function correctly.

Detection guidance

Monitor REST API logs for anomalous leave request queries, particularly GET requests to leave endpoints from users or API keys that do not manage those records. Look for patterns such as sequential API calls accessing other users' leave data, rapid enumeration of leave IDs, or API access from unexpected IP ranges. Implement API request logging with user and resource context to enable forensic analysis. Review recent API access logs (particularly since the public disclosure date, June 1, 2026) for signs of exploitation.

Why prioritize this

Although the CVSS score is moderate (4.3), the public exploit disclosure and low barrier to exploitation significantly raise practical risk. Any attacker with valid credentials can immediately exploit this flaw. The data exposed (leave schedules) may trigger regulatory notification obligations in certain jurisdictions. The ease of patching (direct upgrade to 23.0.2) and the high signal-to-noise ratio of detection make this a high-value remediation target for most organizations running Dolibarr.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible, low-complexity attack requiring authentication, with confidentiality impact but no integrity or availability impact. However, the public exploit disclosure elevates practical risk beyond the base score. This is a high-priority fix relative to other moderate-severity flaws because it combines ease of exploitation, ease of detection, and ease of patching into a low-friction remediation opportunity.

Frequently asked questions

Who can exploit this vulnerability?

Any user or application with valid authentication credentials to the Dolibarr REST API can trigger this flaw. The attacker does not need administrative or elevated privileges—standard user credentials are sufficient. This makes it accessible to insider threats as well as external attackers who have compromised user credentials.

Will I see this in a vulnerability scanner?

Many SAST and API security scanners may detect improper authorization in REST endpoints, but detection depends on the scanner's rules and your configuration. Network-based WAF or API gateway tools are more likely to catch exploitation attempts in real time. The best detection is application-level logging that correlates API requests with user authorization context.

Is patching safe and straightforward?

Upgrading to version 23.0.2 is a targeted fix that should be straightforward for most deployments. However, always test in a non-production environment first, especially if you have custom integrations or extensions using the Leave Request API. Review Dolibarr's release notes and any custom code dependencies before deploying to production.

What if we can't patch immediately?

Implement network-level access controls to restrict REST API traffic to trusted IP ranges or require VPN access. Monitor API logs for suspicious leave request queries. Consider disabling the REST API entirely if leave requests are managed through the web interface instead. These are temporary mitigations only; patching should be prioritized within your change window.

This analysis is provided for informational purposes and reflects the vulnerability data available as of the publication date. Organizations should verify patch availability and compatibility against official Dolibarr advisories and release notes. No exploit code or proof-of-concept tools are provided or endorsed herein. SEC.co does not guarantee the completeness or accuracy of third-party vulnerability data; consult official vendor sources for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).