CVE-2026-34036

Name of the Vulnerable Software and Affected Versions Dolibarr versions 22.0.4 and earlier

Description Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. A Local File Inclusion (LFI) vulnerability exists in the core AJAX endpoint '/core/ajax/selectobject.php'. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server, such as .env, .htaccess, configuration backups, or logs. The vulnerability is caused by a design flaw where dynamic file inclusion occurs before access control checks, combined with a fail-open logic in the access control list (ACL) function. Specifically, the application parses the objectdesc parameter into a $classpath and, if fetchObjectByElement fails, falls back to dol include once($classpath) at line 71, including the arbitrary file before checking user permissions. The restrictedArea() function, at line 102, skips access checks if the $features parameter is empty, allowing bypass of ACLs. This allows any authenticated user to include files, and while PHP files cause a fatal error, the contents of text-based files are dumped into the HTTP response.

Recommendations Versions prior to 22.0.5 are affected. Apply input validation and whitelisting to the $classpath parameter before passing it to dol include once(). Correct the execution flow to ensure file inclusion never occurs before user authorization is fully verified. Modify restrictedArea() in core/lib/security.lib.php to explicitly deny access ($readok = 0) if the $features parameter is empty.