CVE-2026-34036
Description
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | <= 22.0.4 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6anvdPatchWEB
- github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9rnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-2mfj-r695-5h9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34036ghsaADVISORY
News mentions
0No linked articles in our index yet.