CVE-2026-34036

MEDIUM

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-34036. PoCs published by adminlove520, cnf409.

AI-analyzed exploit summary The repository contains a functional Python script that exploits an authenticated Local File Inclusion (LFI) vulnerability in Dolibarr via the `selectobject.php` endpoint. The script logs in, sends a crafted request to read arbitrary files, and displays the output.

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-34036

The repository contains a functional Python script that exploits an authenticated Local File Inclusion (LFI) vulnerability in Dolibarr via the `selectobject.php` endpoint. The script logs in, sends a crafted request to read arbitrary files, and displays the output.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Dolibarr (version not specified)
Auth required
Prerequisites: Valid Dolibarr credentials · Access to the vulnerable endpoint
devstral-2 · analyzed May 02, 2026 Full analysis →
nomisec WORKING POC
by cnf409 · poc
https://github.com/cnf409/CVE-2026-34036

The repository contains a functional Python script that exploits an authenticated Local File Inclusion (LFI) vulnerability in Dolibarr via the `selectobject.php` endpoint. The script logs in, sends a crafted request to read arbitrary files, and prints the file contents.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Dolibarr
Auth required
Prerequisites: Valid Dolibarr credentials · Access to the vulnerable endpoint
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0002
EPSS Percentile 4.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-98
Status published
Products (3)
dolibarr/dolibarr 0Packagist
Dolibarr/dolibarr <= 22.0.4
dolibarr/dolibarr_erp\/crm < 22.0.4
Published Mar 31, 2026
Tracked Since Mar 31, 2026