CVE-2026-10154 Overview
CVE-2026-10154 is an authorization bypass vulnerability in Dolibarr ERP CRM versions 23.0.0, 23.0.1, and 23.0.2. The flaw resides in an unspecified function within htdocs/user/messaging.php. Attackers can manipulate the ID argument to bypass authorization checks and access resources they should not be permitted to view or modify. The issue is exploitable remotely by authenticated users with low privileges, requires no user interaction, and is classified under CWE-285: Improper Authorization. Dolibarr fixed the issue in version 23.0.3 via commit 119b3606c7a701747a57a1f18b1a9e7666f678e2.
Critical Impact
Authenticated remote attackers can bypass authorization controls in the Dolibarr user messaging component by tampering with the ID parameter, gaining access to data outside their permission scope.
Affected Products
- Dolibarr ERP CRM 23.0.0
- Dolibarr ERP CRM 23.0.1
- Dolibarr ERP CRM 23.0.2
Discovery Timeline
- 2026-05-31 - CVE CVE-2026-10154 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10154
Vulnerability Analysis
The vulnerability affects the messaging component in Dolibarr ERP CRM, an open-source enterprise resource planning and customer relationship management application. The flaw stems from improper authorization handling in htdocs/user/messaging.php, where the application accepts an ID parameter without enforcing whether the authenticated user is permitted to act on the referenced record. This category of weakness falls under CWE-285: Improper Authorization.
Because the attack is delivered over the network with low complexity and only requires low-level authenticated access, any standard Dolibarr user account can interact with the vulnerable endpoint. The disclosure does not report active exploitation in the wild, and the EPSS probability is low at 0.026%.
Root Cause
The root cause is a missing or insufficient authorization check on the ID parameter processed by htdocs/user/messaging.php. The endpoint trusts the supplied identifier rather than verifying that the requested resource belongs to or is accessible by the current session user. The corrective commit 119b3606c7a701747a57a1f18b1a9e7666f678e2 introduces the necessary permission validation.
Attack Vector
An authenticated attacker sends a crafted HTTP request to the messaging endpoint with a manipulated ID value referencing another user's resource. Without proper authorization enforcement, the application performs the requested operation on the out-of-scope object. Refer to the GitHub commit details and VulDB Vulnerability #367407 for the technical fix and submission context. No verified proof-of-concept code has been published.
// No verified exploit code is publicly available for CVE-2026-10154.
// Review the upstream patch for the authoritative description of the fix:
// https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2
Detection Methods for CVE-2026-10154
Indicators of Compromise
- HTTP requests to htdocs/user/messaging.php containing ID values that do not correspond to the requesting user's own records.
- Access patterns in which a single low-privileged session enumerates sequential or unrelated ID parameter values against the messaging endpoint.
- Application or audit log entries showing messaging operations performed by accounts that do not own the referenced resource.
Detection Strategies
- Inspect Dolibarr web server access logs for unusual parameter tampering against /user/messaging.php, particularly rapid changes in the ID query parameter.
- Correlate authenticated user identifiers with the ownership of the ID records they are touching; mismatches indicate likely abuse.
- Deploy a Web Application Firewall (WAF) rule that flags requests where the authenticated session user differs from the owner of the referenced messaging resource.
Monitoring Recommendations
- Forward Dolibarr application and web server logs to a centralized analytics platform for parameter-level anomaly review.
- Alert on Dolibarr instances running versions 23.0.0, 23.0.1, or 23.0.2 discovered by asset or vulnerability scanners.
- Track post-authentication behavior of low-privileged accounts that access resources belonging to other users in the messaging module.
How to Mitigate CVE-2026-10154
Immediate Actions Required
- Upgrade Dolibarr ERP CRM to version 23.0.3 or later, which contains the fix commit 119b3606c7a701747a57a1f18b1a9e7666f678e2.
- Inventory all Dolibarr deployments and confirm the running version against the affected list (23.0.0, 23.0.1, 23.0.2).
- Review recent access to htdocs/user/messaging.php for signs of unauthorized resource access and rotate credentials if abuse is observed.
Patch Information
The vendor released the fix in Dolibarr 23.0.3. The corresponding source change is documented in the GitHub commit details. Additional submission and analyst context is available at VulDB Submission #818838 and VulDB Vulnerability #367407.
Workarounds
- Restrict network access to the Dolibarr application so that only trusted users and networks can reach the messaging endpoint.
- Reduce the number of low-privileged accounts and audit existing user permissions until the patched version is deployed.
- Place the application behind a WAF configured to detect parameter tampering on the ID argument of htdocs/user/messaging.php.
# Upgrade Dolibarr to the patched release
cd /path/to/dolibarr
git fetch --tags
git checkout 23.0.3
# Verify the fix commit is present
git log --oneline | grep 119b3606c7a701747a57a1f18b1a9e7666f678e2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
