CVE-2026-10154

MEDIUM 4.3

Dolibarr ERP CRM messaging.php authorization

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.

CWE	CWE-639 CWE-285
Vendor	dolibarr
Product	erp crm
Published	May 30, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr erp crm

Be the first to know when new medium vulnerabilities affecting dolibarr erp crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Dolibarr / ERP CRM

23.0.0 23.0.1 23.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/367407 vuldb.com: https://vuldb.com/vuln/367407/cti vuldb.com: https://vuldb.com/submit/818838 github.com: https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2 github.com: https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3

Credits

🔍 Abderrahmane Aksoum (VulDB User)