CVE-2026-11619 Overview
CVE-2026-11619 is an improper authorization vulnerability [CWE-266] affecting Dolibarr ERP CRM versions up to and including 23.0.2. The flaw resides in an unknown function within htdocs/core/filemanagerdol/connectors/php/config.inc.php, part of the Legacy Filemanager component. The issue allows remote attackers with low privileges to manipulate access controls and interact with file manager functionality beyond their authorization scope. A public exploit reference exists in VulDB, and the maintainers have released version 23.0.3 with patch commit f1b2dd6481e22cacb561d29ffdcd3a50b618479d to address the issue.
Critical Impact
Authenticated remote attackers can bypass authorization checks on the Legacy Filemanager component, potentially gaining unauthorized read or write access to files managed through the Dolibarr ERP CRM platform.
Affected Products
- Dolibarr ERP CRM versions up to and including 23.0.2
- Legacy Filemanager component (htdocs/core/filemanagerdol/connectors/php/config.inc.php)
- Dolibarr ERP CRM deployments exposing the legacy filemanager endpoint
Discovery Timeline
- 2026-06-09 - CVE-2026-11619 published to NVD
- 2026-06-09 - Last updated in NVD database
- Patch commit - f1b2dd6481e22cacb561d29ffdcd3a50b618479d released in Dolibarr 23.0.3
Technical Details for CVE-2026-11619
Vulnerability Analysis
The vulnerability stems from missing permission checks in the Legacy Filemanager connector files. Dolibarr's htdocs/core/filemanagerdol/connectors/php/config.inc.php loaded main.inc.php but did not validate the authenticated user's permissions before exposing filemanager functionality. The companion connector.php likewise relied on the configuration include without enforcing authorization on the operations it dispatched. As a result, any authenticated user could reach the connector endpoints regardless of whether they held the necessary filemanager rights. The flaw is categorized under [CWE-266] (Incorrect Privilege Assignment) and impacts confidentiality, integrity, and availability of files managed through the component.
Root Cause
The root cause is the absence of a per-user permission test in the legacy filemanager entry points. The configuration include initialized application context but did not gate execution behind a privilege check tied to the $user object. Downstream connector logic therefore trusted that any reachable request was authorized.
Attack Vector
An attacker with low-privilege authenticated access submits a network request to the Legacy Filemanager connector. Because no permission verification occurs, the request reaches the filemanager handlers and can be used to enumerate or manipulate files outside the user's intended scope.
// Patch excerpt: htdocs/core/filemanagerdol/connectors/php/config.inc.php
// is a security hole if anybody can access without
// being an authenticated user.
require_once '../../../../main.inc.php';
-
/**
* @var Conf $conf
+ * @var User $user
*
* @var string $dolibarr_main_data_root
* @var string $dolibarr_main_url_root
Source: GitHub Commit f1b2dd6
// Patch excerpt: htdocs/core/filemanagerdol/connectors/php/connector.php
ob_start();
require 'config.inc.php'; // This include the main.inc.php
+/**
+ * @var array<string,mixed> $Config
+ */
require 'connector.lib.php';
if (!$Config['Enabled']) {
Source: GitHub Commit f1b2dd6. The fix introduces a $user permission test on the legacy filemanager and is credited to Aksoum.
Detection Methods for CVE-2026-11619
Indicators of Compromise
- HTTP requests to URIs containing /core/filemanagerdol/connectors/php/connector.php or /core/filemanagerdol/connectors/php/config.inc.php.
- Filemanager Command parameters such as FileUpload, GetFolders, GetFoldersAndFiles, or CreateFolder originating from accounts without filemanager privileges.
- Unexpected files appearing under Dolibarr documents/ directories with timestamps correlating to suspicious connector requests.
Detection Strategies
- Review web server access logs for requests to the legacy filemanager connector and correlate the requesting user identity against assigned Dolibarr permissions.
- Hunt for POST requests with multipart uploads to the connector endpoint from low-privilege session cookies.
- Compare deployed Dolibarr code to the upstream tag 23.0.3 to confirm the patch commit f1b2dd6481e22cacb561d29ffdcd3a50b618479d is applied.
Monitoring Recommendations
- Enable detailed PHP access logging for the htdocs/core/filemanagerdol/ path and alert on anomalies.
- Monitor file creation, modification, and deletion within Dolibarr document storage paths.
- Track Dolibarr user sessions invoking filemanager actions and baseline expected administrators.
How to Mitigate CVE-2026-11619
Immediate Actions Required
- Upgrade Dolibarr ERP CRM to version 23.0.3 or later, which includes patch commit f1b2dd6481e22cacb561d29ffdcd3a50b618479d.
- Audit Dolibarr user accounts and revoke unnecessary access to the filemanager module.
- Inspect the documents/ storage tree for files created or modified by unexpected users.
Patch Information
The vendor released Dolibarr 23.0.3 with a permission test added to the legacy filemanager entry points. See the GitHub Release Notes 23.0.3 and the GitHub Commit f1b2dd6. Additional context is available at VulDB CVE-2026-11619.
Workarounds
- Restrict web server access to htdocs/core/filemanagerdol/connectors/php/ using deny rules at the reverse proxy or .htaccess level until the upgrade is applied.
- Disable the Legacy Filemanager feature in Dolibarr configuration if the module is not required.
- Place Dolibarr behind authenticated VPN access to limit exposure of the connector endpoint to untrusted networks.
# Example nginx rule to block the legacy filemanager connector path
location ~* /core/filemanagerdol/connectors/php/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
