{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34036", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T15:29:04.744Z", "datePublished": "2026-03-31T01:39:38.178Z", "dateUpdated": "2026-03-31T13:57:45.230Z"}, "containers": {"cna": {"title": "Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"}, {"name": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a", "tags": ["x_refsource_MISC"], "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"}], "affected": [{"vendor": "Dolibarr", "product": "dolibarr", "versions": [{"version": "<= 22.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:39:38.178Z"}, "descriptions": [{"lang": "en", "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-2mfj-r695-5h9r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:57:14.553725Z", "id": "CVE-2026-34036", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:57:45.230Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34036", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:57:14.553725Z"}}}], "references": [{"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:57:07.139Z"}}], "cna": {"title": "Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php", "source": {"advisory": "GHSA-2mfj-r695-5h9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Dolibarr", "product": "dolibarr", "versions": [{"status": "affected", "version": "<= 22.0.4"}]}], "references": [{"url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "name": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a", "name": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T01:39:38.178Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34036", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:57:45.230Z", "dateReserved": "2026-03-25T15:29:04.744Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T01:39:38.178Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*", "matchCriteriaId": "3BAE3269-374D-425C-B943-C4DA4494F7BF", "versionEndIncluding": "22.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Dolibarr es un paquete de software de planificaci\u00f3n de recursos empresariales (ERP) y gesti\u00f3n de relaciones con clientes (CRM). En las versiones 22.0.4 y anteriores, existe una vulnerabilidad de inclusi\u00f3n local de ficheros (LFI) en el endpoint AJAX principal /core/ajax/selectobject.php. Al manipular el par\u00e1metro objectdesc y explotar un fallo l\u00f3gico de 'fail-open' en la funci\u00f3n de control de acceso principal restrictedArea(), un usuario autenticado sin privilegios espec\u00edficos puede leer el contenido de ficheros no PHP arbitrarios en el servidor (como .env, .htaccess, copias de seguridad de configuraci\u00f3n o registros...). En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."}], "id": "CVE-2026-34036", "lastModified": "2026-04-03T16:54:36.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T03:15:57.710", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,22.0.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dolibarr", "source": "cna", "vendor": "Dolibarr"}, "product": "dolibarr", "vendor": "dolibarr"}], "analysis": {"en": {"generated_at": "2026-04-03T20:24:57.082769+00:00", "value": {"mitigation_remediation": ["Check the Dolibarr vendor site or security advisories for an official patch or upgrade path and apply it as soon as available.", "Restrict the permissions of the core/ajax/selectobject.php endpoint so that only trusted roles can access it.", "Implement input validation or a web application firewall rule to block suspicious values for the objectdesc parameter.", "Move sensitive files such as .env and backup configurations outside the web\u2011root directory and deny web access to those locations."], "summary": {"action": "Mitigate", "impact": "Sensitive data disclosure via authenticated local file inclusion"}, "threat_synthesis": {"affected_systems": "The affected product is Dolibarr ERP/CRM, specifically versions 22.0.4 and earlier. No special privileges are required beyond standard authentication; any logged\u2011in user can trigger the inclusion. At the time of this publication, no official patch has been released by the vendor.", "description_and_impact": "Dolibarr versions up to 22.0.4 contain a local file inclusion flaw in the AJAX endpoint core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail\u2011open condition in the restrictedArea() access\u2011control function, an authenticated user can read any non\u2011PHP file on the server, such as .env, .htaccess, configuration backups, or logs. This vulnerability falls under CWE\u201198 and allows exposure of secrets, credentials, and configuration details, potentially compromising confidentiality of the entire system.", "risk_and_exploitability": "The CVSS score of 6.5 places the vulnerability in the medium severity range, while the EPSS score of less than 1\u202f% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. The attack vector is local but authenticated; a user must be able to log into the application and craft a request to core/ajax/selectobject.php with a carefully chosen objectdesc value. The exploit is straightforward once access is granted, but requires no additional privilege escalation."}}}}, "created": "2026-03-31T19:56:28.596019+00:00", "updated": "2026-04-03T21:17:46.890565+00:00", "vendors": ["dolibarr", "dolibarr$PRODUCT$dolibarr"]}