CVE-2026-10215— Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10215
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
Source: NVD (National Vulnerability Database)
Vulnerability Description
A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-10215
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10215
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-10215 (1)
Vendor Advisories for CVE-2026-10215 (1)
Vendor Pages for CVE-2026-10215 (1)
Other References for CVE-2026-10215 (1)
Other References for CVE-2026-10215 (1)
IV. Related Vulnerabilities
Same vendor: Dolibarr
- CVE-2026-10154
Dolibarr ERP CRM messaging.php authorization - CVE-2018-25357
Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/ste - CVE-2025-67486
Dolibarr has an Authenticated Remote Code Execution via eval - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-7688
Dolibarr ERP CRM Shipments API Endpoint expedition.class.php
Same weakness: CWE-285
- CVE-2026-10272
a4m4 Student-Management-System deleteform.php improper autho - CVE-2026-10269
decolua 9router HTTP Header dashboardGuard.js isAuthenticate - CVE-2026-40963
Apache Airflow: DAG authorization bypass on /ui/structure/st - CVE-2026-10236
SourceCodester Water Billing Management System User Manageme - CVE-2026-46605
Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ
V. Comments for CVE-2026-10215
No comments yet