CVE-2026-10215

4.3 MEDIUM
Published: June 01, 2026 Modified: June 03, 2026
View on NVD

Description

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73
Source: cna@vuldb.com
https://github.com/Dolibarr/dolibarr/issues/37752
Source: cna@vuldb.com
https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921
Source: cna@vuldb.com
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
Source: cna@vuldb.com
https://github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf
Source: cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10215
Source: cna@vuldb.com
https://vuldb.com/submit/821930
Source: cna@vuldb.com
https://vuldb.com/vuln/367494
Source: cna@vuldb.com
https://vuldb.com/vuln/367494/cti
Source: cna@vuldb.com
https://github.com/Dolibarr/dolibarr/issues/37752
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

11 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.3 / 10.0
EPSS (Exploit Probability)
0.3%
17th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-266 CWE-285

Related CVEs

CVE-2026-48777 N/A
CVE-2026-47750 7.8
CVE-2026-47747 7.8
CVE-2026-46448 5.4
CVE-2026-22313 9.1