CVE-2026-34036
published 2026-03-31CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local…
PriorityP343medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.42%
33.6th percentile
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | <= 22.0.4 | — |
| dolibarr | dolibarr | 0 – 22.0.4 | — |
| dolibarr | dolibarr_erp_crm | <= 22.0.4 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package
osv·2026-03-31·CVSS 6.5
CVE-2026-34036 [MEDIUM] CVE-2026-34036: Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.
GHSA
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
ghsa·2026-03-27
CVE-2026-34036 [MEDIUM] CWE-98 Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure
## Target
Dolibarr Core (Tested on version 22.0.4)
## Summary
A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).
## Vulnerability Details
The vulnerability is caused by a critical design flaw in `/core/ajax/sele
OSV
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
osv·2026-03-27
CVE-2026-34036 [MEDIUM] Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php
# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure
## Target
Dolibarr Core (Tested on version 22.0.4)
## Summary
A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).
## Vulnerability Details
The vulnerability is caused by a critical design flaw in `/core/ajax/sele
No detection rules found.
No public exploits indexed.
2026-03-31
Published