CVE-2026-10215

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73
https://github.com/Dolibarr/dolibarr/issues/37752
https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921
https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2
https://github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf
https://vuldb.com/cve/CVE-2026-10215
https://vuldb.com/submit/821930
https://vuldb.com/vuln/367494
https://vuldb.com/vuln/367494/cti
https://github.com/Dolibarr/dolibarr/issues/37752
https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921

Configurations

No configuration.

History

03 Jun 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/Dolibarr/dolibarr/issues/37752 -~~	() https://github.com/Dolibarr/dolibarr/issues/37752 -
References	~~() https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921 -~~	() https://github.com/Dolibarr/dolibarr/issues/37752#issuecomment-4304055921 -

01 Jun 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-01 03:16

Updated : 2026-06-03 19:16

NVD link : CVE-2026-10215

Mitre link : CVE-2026-10215

CVE.ORG link : CVE-2026-10215

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

CWE-285

Improper Authorization

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2026-10215

4.3^/10

4.0^/10

Attach tags to `CVE-2026-10215`