VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 9, 2026

CVE-2026-11619

CVE-2026-11619

Description

Dolibarr ERP CRM improper authorization vulnerability in Legacy Filemanager allows remote attackers to exploit.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dolibarr ERP CRM improper authorization vulnerability in Legacy Filemanager allows remote attackers to exploit.

Vulnerability

A vulnerability exists in Dolibarr ERP CRM up to version 23.0.2 within the Legacy Filemanager component, specifically in the htdocs/core/filemanagerdol/connectors/php/config.inc.php file. The issue stems from improper authorization checks, allowing unauthorized access to certain functionalities.

Exploitation

An attacker can exploit this vulnerability remotely by manipulating an unknown function within the specified file. The exact sequence of steps is not detailed, but it is implied that an unauthenticated or improperly authenticated user can trigger the vulnerability.

Impact

The improper authorization allows an attacker to gain unauthorized access to functionalities within the Legacy Filemanager. The specific impact, such as data disclosure or unauthorized modification, is not explicitly detailed in the provided references, but the vulnerability is categorized as medium severity.

Mitigation

Dolibarr ERP CRM version 23.0.3, released on 2026-06-09, addresses this vulnerability. Upgrading to this version or later is recommended to resolve the issue [1]. The patch identifier is f1b2dd6481e22cacb561d29ffdcd3a50b618479d [2].

References
  1. Release 23.0.3 · Dolibarr/dolibarr
  2. FIX add permission test on legacy filemanager - Credit Aksoum · Dolibarr/dolibarr@f1b2dd6

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dolibarr/Dolibarrreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=23.0.2

Patches

1
f1b2dd6481e2

FIX add permission test on legacy filemanager - Credit Aksoum

https://github.com/dolibarr/dolibarrLaurent DestailleurApr 18, 2026via nvd-ref
commit
2 files changed · +11 1
  • htdocs/core/filemanagerdol/connectors/php/config.inc.php+8 1 modified
    @@ -33,9 +33,9 @@
 // is a security hole if anybody can access without
 // being an authenticated user.
 require_once '../../../../main.inc.php';
-
 /**
  * @var Conf $conf
+ * @var User $user
  *
  * @var string $dolibarr_main_data_root
  * @var string $dolibarr_main_url_root
@@ -49,6 +49,13 @@
 //define('DOL_URL_ROOT', $pos);
 $entity = ((!empty($_SESSION['dol_entity']) && $_SESSION['dol_entity'] > 1) ? $_SESSION['dol_entity'] : null);
 
+
+if (!empty($user->admin) && !$user->hasRight('website', 'write')) {
+	accessforbidden('Need to be admin or having write permission on website module');
+	exit;
+}
+
+
 // SECURITY: You must explicitly enable this "connector". (Set it to "true").
 // WARNING: don't just set "$Config['Enabled'] = true ;", you must be sure that only
 //		authenticated users can access this file or use some kind of session checking.
  • htdocs/core/filemanagerdol/connectors/php/connector.php+3 0 modified
    @@ -26,6 +26,9 @@
 ob_start();
 
 require 'config.inc.php';	// This include the main.inc.php
+/**
+ * @var array<string,mixed>	$Config
+ */
 require 'connector.lib.php';
 
 if (!$Config['Enabled']) {

Vulnerability mechanics

Root cause

"The legacy file manager component lacked proper authorization checks, allowing unauthorized access."

Attack vector

An attacker can remotely exploit this vulnerability by accessing the legacy file manager without proper authentication. The vulnerability is in the `htdocs/core/filemanagerdol/connectors/php/config.inc.php` file. The exploit is publicly available, suggesting it may be actively used. [ref_id=1]

Affected code

The vulnerability resides in the `htdocs/core/filemanagerdol/connectors/php/config.inc.php` file, specifically within the legacy file manager component. The patch modifies this file to include an authorization check before proceeding with file operations. [patch_id=5292254]

What the fix does

The patch introduces a permission check in `htdocs/core/filemanagerdol/connectors/php/config.inc.php`. It verifies if the user is an administrator or has the 'website' module write permission before allowing access to the file manager functionalities. This prevents unauthorized users from accessing or manipulating files through the legacy file manager. [patch_id=5292254]

Preconditions

  • authThe attacker does not need to be authenticated as an administrator or possess specific module write permissions.
  • networkThe vulnerability can be exploited remotely.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.