MEDIUM 6.3

CVE-2026-11619: Dolibarr ERP CRM Authorization Bypass in Legacy Filemanager

A flaw exists in Dolibarr ERP CRM versions up to 23.0.2 within the Legacy Filemanager component. An authenticated attacker can exploit improper authorization controls in a configuration file to gain unauthorized access to functionality they should not have. The vulnerability allows remote exploitation and does not require user interaction. Public exploit code is available, increasing practical attack risk. The issue is resolved by upgrading to version 23.0.3 or later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11619 affects Dolibarr ERP CRM through version 23.0.2 and involves an authorization bypass in htdocs/core/filemanagerdol/connectors/php/config.inc.php within the Legacy Filemanager component. The vulnerability stems from improper authorization logic (CWE-266, CWE-285), allowing authenticated users to perform actions beyond their assigned permissions. The attack vector is network-accessible, requires login credentials (PR:L), and operates in the user's security context (S:U). Remediation is available via patch f1b2dd6481e22cacb561d29ffdcd3a50b618479d, included in version 23.0.3.

Business impact

Organizations running Dolibarr ERP CRM are at risk of unauthorized data access and modification by authenticated insiders or compromised accounts. Since the Legacy Filemanager component often handles document storage and retrieval, exploitation could expose sensitive business documents, financial records, or confidential project files. The presence of public exploit code significantly raises the likelihood of opportunistic attacks. For supply chain deployments, this affects any organization depending on hosted or managed Dolibarr instances running vulnerable versions.

Affected systems

Dolibarr ERP CRM versions up to and including 23.0.2 are vulnerable. The Legacy Filemanager component is the attack surface. Organizations should identify deployed instances using version 23.0.2 or earlier and prioritize those in direct contact with untrusted networks or multi-tenant environments.

Exploitability

Exploitability is moderate to high. The vulnerability requires valid authentication credentials, limiting attack surface to users with system access. However, the network accessibility, absence of complex interaction requirements, and availability of public exploit code substantially increase practical exploitation risk. Insider threats and lateral movement by account compromise are primary concerns. The CVSS 3.1 score of 6.3 reflects medium severity with confidentiality, integrity, and availability impact.

Remediation

Upgrade Dolibarr ERP CRM to version 23.0.3 or later. The patch resolves authorization enforcement in the config.inc.php file. Organizations unable to upgrade immediately should restrict access to the filemanagerdol component via network controls and review file manager access logs for unauthorized activity.

Patch guidance

Apply Dolibarr ERP CRM version 23.0.3 or later. Verify the patch commit hash matches f1b2dd6481e22cacb561d29ffdcd3a50b618479d in your deployment. Test in a staging environment before production deployment to ensure compatibility with custom configurations or dependent modules. For hosted deployments, confirm with your provider that instances have been updated.

Detection guidance

Monitor access logs for the htdocs/core/filemanagerdol/connectors/php/config.inc.php file, particularly requests from authenticated users with unusual privilege elevation or cross-departmental file access patterns. Review file manager activity logs for access to sensitive documents outside normal business workflows. Implement authentication and authorization telemetry to detect privilege escalation attempts within the ERP system. Network IDS/IPS signatures targeting Legacy Filemanager exploitation may be available from security vendors.

Why prioritize this

Despite a CVSS score of 6.3 (medium), this vulnerability merits expedited patching due to public exploit availability and the sensitive nature of ERP systems. Finance, healthcare, and manufacturing sectors using Dolibarr should prioritize immediate upgrades. The low attack complexity and requirement for authentication only (rather than zero-day complexity) make this a realistic threat in competitive or malicious insider scenarios.

Risk score, explained

CVSS 3.1 assigns a score of 6.3 because the vulnerability requires authenticated access (PR:L), has low attack complexity, and impacts confidentiality, integrity, and availability equally. The network vector (AV:N) and lack of scope change reflect the severity. The score does not account for the real-world amplification provided by public exploit code, which argues for treating this as a priority-one fix in environments where Dolibarr holds sensitive data.

Frequently asked questions

Do I need valid Dolibarr login credentials to exploit this?

Yes. The vulnerability requires authentication (PR:L in the CVSS vector), so an attacker needs a valid user account or must compromise one first. This limits but does not eliminate attack surface.

Is upgrading to 23.0.3 the only remediation?

It is the recommended and permanent fix. If you cannot upgrade immediately, restrict network access to the filemanagerdol component, implement additional file access controls, and actively monitor logs for suspicious activity. However, patching should be your priority.

What if I don't use the Legacy Filemanager component?

Review your Dolibarr configuration and module inventory. Even if you believe the component is unused, it may be present and inadvertently accessible. Verify with your administrator and confirm it is properly disabled if not needed.

Why isn't this on the CISA KEV catalog yet?

Not all publicly exploitable vulnerabilities are immediately added to the KEV catalog. However, the presence of public exploit code and the sensitivity of ERP systems mean you should treat this as high-priority regardless of KEV status.

This analysis is provided for informational purposes to help security teams assess and prioritize vulnerability remediation. SEC.co does not provide exploit code or weaponization guidance. Verify all patch versions and commit hashes against official Dolibarr vendor advisories before deployment. This assessment does not constitute legal advice or guarantee of security outcomes. Organizations should conduct their own testing and risk analysis in the context of their environment and threat model. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).