CVE-2026-11619

MEDIUM

Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization

Title source: cna

Description

A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised.

References (6)

Core 6

Core References

Vdb Entry vdb-entry

VDB-369300 | Dolibarr ERP CRM Legacy Filemanager config.inc.php improper authorization

https://vuldb.com/vuln/369300

Signature, Permissions Required signature permissions-required

VDB-369300 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/369300/cti

Third Party Advisory third-party-advisory

CVE-2026-11619 | CVE Analysis and Report

https://vuldb.com/cve/CVE-2026-11619

Third Party Advisory third-party-advisory

Submit #834038 | Dolibarr Dolibarr ERP/CRM up to 23.0.3 Missing Authorization

https://vuldb.com/submit/834038

Patch patch

https://github.com/dolibarr/dolibarr/commit/f1b2dd6481e22cacb561d29ffdcd3a50b618479d

View Patch ZIP pw:eip

Patch patch

https://github.com/Dolibarr/dolibarr/releases/tag/23.0.3

Scores

CVSS v3 6.3

EPSS 0.0021

EPSS Percentile 11.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-285

Status published

Products (4)

Dolibarr/ERP CRM 23.0.0

Dolibarr/ERP CRM 23.0.1

Dolibarr/ERP CRM 23.0.2

Dolibarr/ERP CRM 23.0.3

Published Jun 09, 2026

Tracked Since Jun 09, 2026