CVE-2026-10215
Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
12th
A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
| CWE | CWE-285 CWE-266 |
| Vendor | dolibarr |
| Product | erp crm |
| Published | Jun 1, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for dolibarr erp crm
Be the first to know when new medium vulnerabilities affecting dolibarr erp crm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Dolibarr / ERP CRM
23.0.0 23.0.1
References
vuldb.com: https://vuldb.com/vuln/367494 vuldb.com: https://vuldb.com/vuln/367494/cti vuldb.com: https://vuldb.com/cve/CVE-2026-10215 vuldb.com: https://vuldb.com/submit/821930 github.com: https://github.com/Dolibarr/dolibarr/issues/37752 github.com: https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921 github.com: https://github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf github.com: https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73 github.com: https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
Credits
๐ Mitch311 (VulDB User)