CVE-2026-37712
Description
An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted call_user_func_array() in Dolibarr cron job allows remote authenticated attackers to execute arbitrary OS commands.
Vulnerability
In Dolibarr ERP/CRM versions 22.0.0 through 22.0.4 and 24.0.0-alpha, the htdocs/cron/class/cronjob.class.php file implements a cron job scheduler. The call_user_func_array() function is invoked with user-controlled function names and arguments from the job type field without proper validation. This allows an attacker to call arbitrary PHP functions, including those that execute OS commands [1].
Exploitation
An attacker with access to create or modify cron jobs (typically an administrator) can craft a cron job with a job type value such as 'system' and pass arbitrary OS commands as parameters. When the cron job runs, the attacker-supplied function is executed, achieving remote code execution [1].
Impact
Successful exploitation results in arbitrary code execution on the server, under the privileges of the web server process. This can lead to full compromise of the application and underlying system, including data exfiltration, file manipulation, and lateral movement [1].
Mitigation
As of the publication date, no official patch has been released for this vulnerability. Users should restrict access to the cron job management page to trusted administrators only, or disable the cron job feature if not required. Monitor for suspicious cron job creation [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=22.0.4, =24.0.0-alpha
Patches
188ad132763beClean code
1 file changed · +0 −2
dev/build/makepack-dolibarr.pl+0 −2 modified@@ -243,8 +243,6 @@ $PROJVERSION = $MAJORVERSION . "." . $MINORVERSION; } -print "xx".$PROJVERSION; - ( $MAJOR, $MINOR, $BUILD ) = split( /\./, $PROJVERSION, 3 ); if ( $MINOR eq '' ) { die "Error can't detect version"; }
Vulnerability mechanics
Root cause
"Unsanitized input passed to call_user_func_array() in the cron job type handler allows arbitrary code execution."
Attack vector
A remote attacker can exploit the `call_user_func_array()` function in `htdocs/cron/class/cronjob.class.php` by crafting a malicious job type that injects arbitrary function and parameter values. When the cron job is executed, the unsanitized input is passed directly to `call_user_func_array()`, allowing the attacker to execute arbitrary PHP code on the server. The attacker must have network access to the Dolibarr instance and the ability to create or modify cron job entries, which may require prior authentication depending on the deployment configuration.
Affected code
The vulnerability resides in `htdocs/cron/class/cronjob.class.php`, specifically in the handling of the `job type` within a `call_user_func_array()` call. The patch provided (`patch_id=2691377`) only modifies `dev/build/makepack-dolibarr.pl` and does not address the cronjob file, so the exact vulnerable code path is not shown in the supplied patch.
What the fix does
The supplied patch (`patch_id=2691377`) only removes a debug print statement from `dev/build/makepack-dolibarr.pl` and does not address the `call_user_func_array()` vulnerability in `htdocs/cron/class/cronjob.class.php`. The advisory does not provide a fix for the actual vulnerable code path. Remediation would require sanitizing or validating the input passed to `call_user_func_array()` in the cron job handler to prevent arbitrary function execution.
Preconditions
- networkAttacker must have network access to the Dolibarr instance
- authAttacker must be able to create or modify cron job entries (may require authentication)
- configThe cron job feature must be enabled and accessible
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.