CVE-2026-10154

MEDIUM

Dolibarr ERP CRM messaging.php authorization

Title source: cna

Description

A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.

References (5)

Core 5

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-367407 | Dolibarr ERP CRM messaging.php authorization

https://vuldb.com/vuln/367407

Signature, Permissions Required signature permissions-required

VDB-367407 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/367407/cti

Third Party Advisory third-party-advisory

Submit #818838 | Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side

https://vuldb.com/submit/818838

Patch patch

https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2

View Patch ZIP pw:eip

Patch patch

https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3

Scores

CVSS v3 4.3

EPSS 0.0022

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-639

Status published

Products (4)

Dolibarr/ERP CRM 23.0.0

Dolibarr/ERP CRM 23.0.1

Dolibarr/ERP CRM 23.0.2

Dolibarr/ERP CRM 23.0.3

Published May 31, 2026

Tracked Since May 31, 2026