CVE-2026-34036 Overview
CVE-2026-34036 is a Local File Inclusion (LFI) vulnerability discovered in Dolibarr, an open-source enterprise resource planning (ERP) and customer relationship management (CRM) software package. The vulnerability exists in the core AJAX endpoint /core/ajax/selectobject.php and allows authenticated users with no specific privileges to read arbitrary non-PHP files on the server by manipulating the objectdesc parameter.
The vulnerability exploits a fail-open logic flaw in the core access control function restrictedArea(), which improperly handles authorization checks. This enables attackers to bypass access controls and retrieve sensitive server-side files including .env configuration files, .htaccess files, configuration backups, and application logs.
Critical Impact
Authenticated users can read sensitive server files including environment configurations, credentials, and logs through a vulnerable AJAX endpoint.
Affected Products
- Dolibarr version 22.0.4 and prior versions
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-34036 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34036
Vulnerability Analysis
This Local File Inclusion vulnerability (CWE-98) affects the /core/ajax/selectobject.php endpoint in Dolibarr. The core issue stems from improper validation of the objectdesc parameter combined with a fail-open logic flaw in the restrictedArea() access control function.
When a user sends a crafted request to the vulnerable endpoint, the application fails to properly sanitize file path inputs, allowing directory traversal sequences to escape the intended directory. Additionally, the restrictedArea() function contains a fail-open design flaw where certain conditions cause it to grant access rather than deny it when encountering unexpected inputs.
The vulnerability allows reading of non-PHP files only, as PHP files would be executed rather than displayed. However, this limitation still exposes a significant attack surface including environment configuration files (.env), Apache configuration files (.htaccess), backup files, and application logs that may contain sensitive information such as database credentials, API keys, and user data.
Root Cause
The root cause is twofold: improper input validation on the objectdesc parameter that permits path traversal sequences, and a fail-open logic flaw in the restrictedArea() authorization function. The access control function fails to properly deny access when it encounters malformed or unexpected input, defaulting to allowing the request rather than blocking it.
Attack Vector
The attack requires network access and valid authentication credentials (any authenticated user). An attacker can exploit this vulnerability by sending crafted HTTP requests to the /core/ajax/selectobject.php endpoint with a manipulated objectdesc parameter containing path traversal sequences.
The attacker can read sensitive files such as:
- .env files containing environment variables and credentials
- .htaccess files revealing server configuration
- Configuration backup files
- Application logs potentially containing sensitive data
Due to the network-based attack vector and low attack complexity, any authenticated user within the application can exploit this vulnerability without requiring elevated privileges.
Detection Methods for CVE-2026-34036
Indicators of Compromise
- HTTP requests to /core/ajax/selectobject.php containing path traversal sequences such as ../ in the objectdesc parameter
- Unusual access patterns to the AJAX endpoint from authenticated sessions
- Web server logs showing requests for sensitive file paths like .env, .htaccess, or backup files
- Unexpected file access events in application or system logs
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns targeting the /core/ajax/selectobject.php endpoint
- Implement file integrity monitoring on sensitive configuration files
- Review access logs for anomalous requests to AJAX endpoints containing directory traversal characters
- Deploy intrusion detection rules to alert on LFI attack patterns
Monitoring Recommendations
- Enable verbose logging on the Dolibarr application to capture detailed request parameters
- Configure security information and event management (SIEM) rules to detect path traversal attempts
- Monitor for unusual read access to sensitive configuration files outside normal application behavior
- Establish baseline metrics for AJAX endpoint usage to identify anomalous activity
How to Mitigate CVE-2026-34036
Immediate Actions Required
- Review and restrict access to the Dolibarr application to trusted users only
- Implement web application firewall rules to block path traversal sequences in requests to /core/ajax/selectobject.php
- Audit existing user accounts and remove unnecessary access
- Move sensitive configuration files outside the web root where possible
Patch Information
At the time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the Dolibarr GitHub repository for updates and apply patches as soon as they become available. Additional details can be found in the GitHub Security Advisory GHSA-2mfj-r695-5h9r.
Workarounds
- Restrict network access to the Dolibarr application using firewall rules or VPN requirements
- Implement additional authentication layers such as multi-factor authentication
- Deploy a web application firewall with rules to detect and block LFI attack patterns
- Move sensitive files such as .env and configuration backups outside the web-accessible directory structure
- Consider temporarily disabling the vulnerable AJAX endpoint if not critical to business operations
# Example WAF rule to block path traversal in objectdesc parameter
# Add to .htaccess or web server configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} objectdesc=.*\.\./ [NC,OR]
RewriteCond %{QUERY_STRING} objectdesc=.*%2e%2e%2f [NC]
RewriteRule ^core/ajax/selectobject\.php$ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
