Platform
php
Component
dolibarr/dolibarr
Fixed in
22.0.5
22.0.5
A Local File Inclusion (LFI) vulnerability has been identified in Dolibarr Core, affecting versions up to 22.0.4. This flaw allows authenticated users to read arbitrary files on the server, potentially exposing sensitive data like configuration files or backups. The vulnerability resides in the /core/ajax/selectobject.php endpoint and is due to a fail-open logic flaw in the access control function. A patch is expected to address this issue.
The primary impact of CVE-2026-34036 is the potential for sensitive data disclosure. An attacker, after authenticating to the Dolibarr system, can manipulate the objectdesc parameter within the /core/ajax/selectobject.php endpoint to read files outside of the intended scope. This could include configuration files containing database credentials (.env), web server configurations (.htaccess), backups of sensitive data, or application logs. Successful exploitation could lead to unauthorized access to the underlying system and compromise of confidential information. The blast radius is limited to the server hosting the Dolibarr instance and accessible to authenticated users.
This vulnerability was publicly disclosed on 2026-03-27. Currently, there are no known active campaigns targeting this specific vulnerability. The existence of a public description suggests the potential for exploitation, and the relatively straightforward nature of the exploit could lead to its adoption by malicious actors. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-34036 is to upgrade Dolibarr Core to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting file access permissions on the server to limit the attacker's ability to read arbitrary files. Review and harden the restrictedArea() function within /core/ajax/selectobject.php if possible, though this requires significant code modification. Web application firewalls (WAFs) configured to detect and block LFI attempts targeting /core/ajax/selectobject.php can also provide a layer of protection. After upgrading, confirm the vulnerability is resolved by attempting the exploit with a test user and verifying that file access is denied.
Update Dolibarr to a version later than 22.0.4. As no patches are available at the time of this publication, monitor Dolibarr security updates and apply the update as soon as it is available.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34036 is a Local File Inclusion vulnerability in Dolibarr Core versions up to 22.0.4, allowing authenticated users to read arbitrary files on the server.
You are affected if you are running Dolibarr Core version 22.0.4 or earlier. Upgrade to a patched version as soon as possible.
The primary fix is to upgrade to a patched version of Dolibarr Core. Until a patch is available, consider temporary workarounds like restricting file access permissions.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official Dolibarr security advisories on their website or community forums for updates and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.