CVE-2026-34036

MEDIUM 6.5

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

7th

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.

CWE	CWE-98
Vendor	dolibarr
Product	dolibarr
Published	Mar 31, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for dolibarr dolibarr

Be the first to know when new medium vulnerabilities affecting dolibarr dolibarr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Dolibarr / dolibarr

<= 22.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r github.com: https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a