PT-2026-45247 · Unknown · Dolibarr Erp/Crm
Mitch311
·
Published
2026-06-01
·
Updated
2026-06-01
·
CVE-2026-10215
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Dolibarr ERP CRM versions prior to 23.0.2
Description
Improper authorization exists in the Leave Request REST API component. The issue is located in the
checkUserAccessToObject() function within the htdocs/holiday/class/api holidays.class.php file, which allows a remote attacker to bypass authorization controls.Recommendations
Update to version 23.0.2.
As a temporary mitigation, restrict access to the Leave Request REST API component.
Exploit
Fix
Incorrect Privilege Assignment
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Dolibarr Erp/Crm