VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 31, 2026

CVE-2026-10154

CVE-2026-10154

Description

A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dolibarr ERP CRM 23.0.0–23.0.2 contains an authorization bypass in messaging.php allowing remote attackers to read other users' messages.

Vulnerability

In Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2, the file htdocs/user/messaging.php contains an authorization bypass vulnerability. The function handling the ID argument does not properly verify that the authenticated user has permission to view the requested user's messages. The patch (commit 119b3606c7a701747a57a1f18b1a9e7666f678e2) adds a check that stops access if the user is not the owner and lacks the user lire permission [2].

Exploitation

An attacker with a valid user account can remotely exploit this by sending a crafted HTTP request to messaging.php with an arbitrary ID parameter corresponding to another user. No special network position or additional authentication is required beyond a valid session. The attack is straightforward: simply change the ID value to target another user's identifier.

Impact

Successful exploitation allows an attacker to read the messaging content of other users, leading to unauthorized information disclosure. This violates the intended access control, potentially exposing sensitive communications within the ERP system. The attacker does not gain write access or privilege escalation beyond reading messages.

Mitigation

The vulnerability is fixed in Dolibarr version 23.0.3, released on 2026-05-31 [1]. Users should upgrade to 23.0.3 or later. No workaround is provided; upgrading is the recommended action. The patch commit is 119b3606c7a701747a57a1f18b1a9e7666f678e2 [2].

References
  1. Release 23.0.3 · Dolibarr/dolibarr
  2. Fix IDOR - credit Aksoum Abderrahmane · Dolibarr/dolibarr@119b360

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dolibarr/Dolibarrreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=23.0.2

Patches

1
119b3606c7a7

Fix IDOR - credit Aksoum Abderrahmane

https://github.com/dolibarr/dolibarrLaurent DestailleurApr 10, 2026via nvd-ref
commit
1 file changed · +6 1
  • htdocs/user/messaging.php+6 1 modified
    @@ -109,12 +109,17 @@
 $feature2 = (($socid && $user->hasRight('user', 'self', 'creer')) ? '' : 'user');
 $result = restrictedArea($user, 'user', $id, 'user&user', $feature2);
 
+// If user is not user that read and no permission to read other users, we stop
+if (($object->id != $user->id) && !$user->hasRight('user', 'user', 'lire')) {
+	accessforbidden();
+}
+
 
 /*
  *	Actions
  */
 
-$parameters = array('id' => $socid);
+$parameters = array('id' => $id);
 $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks
 if ($reshook < 0) {
 	setEventMessages($hookmanager->error, $hookmanager->errors, 'errors');

Vulnerability mechanics

Root cause

"Missing authorization check in `htdocs/user/messaging.php` allows an authenticated user to access another user's messaging data by manipulating the `ID` parameter."

Attack vector

An authenticated low-privilege user can send a crafted HTTP request to `htdocs/user/messaging.php` with an arbitrary `ID` parameter belonging to another user. Because the original code lacked a check that the requesting user owns the target user object or has the `lire` permission, the attacker can read another user's messaging data without authorization [CWE-639] [ref_id=1].

Affected code

The vulnerability resides in `htdocs/user/messaging.php`. The patch adds an authorization check after the existing `restrictedArea()` call and also fixes a bug where the hook parameters used `$socid` instead of `$id` [patch_id=3249839].

What the fix does

The patch inserts a guard that calls `accessforbidden()` when the current user is neither the owner of the object (`$object->id != $user->id`) nor has the global `user/user/lire` permission. It also corrects the hook parameter array to pass `$id` instead of `$socid`, ensuring hooks receive the intended user identifier [patch_id=3249839].

Preconditions

  • authAttacker must be an authenticated Dolibarr user with a session.
  • inputAttacker must know or guess another user's ID.
  • networkThe target endpoint `htdocs/user/messaging.php` must be reachable over the network.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.