CVE-2026-37711 Overview
CVE-2026-37711 is a remote code execution vulnerability in Dolibarr ERP/CRM affecting versions 22.0.0 through 22.0.4 and 24.0.0-alpha. The flaw resides in htdocs/core/actions_addupdatedelete.inc.php and allows a remote attacker to execute arbitrary code on the underlying server. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and is reachable over the network without user interaction.
Critical Impact
Remote attackers can execute arbitrary code on vulnerable Dolibarr ERP/CRM instances by abusing code generation logic in actions_addupdatedelete.inc.php, compromising confidentiality, integrity, and availability of business data.
Affected Products
- Dolibarr ERP/CRM 22.0.0 through 22.0.4
- Dolibarr ERP/CRM 24.0.0-alpha
- Deployments exposing htdocs/core/actions_addupdatedelete.inc.php to untrusted users
Discovery Timeline
- 2026-05-27 - CVE-2026-37711 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-37711
Vulnerability Analysis
The vulnerability stems from improper control of dynamically generated code inside htdocs/core/actions_addupdatedelete.inc.php, a core include used by Dolibarr to process add, update, and delete actions across multiple modules. Attacker-controlled input flows into a code evaluation path without sufficient validation or sanitization. As a result, an attacker can inject PHP expressions that the application evaluates server-side. The flaw is exploitable remotely over the network with low attack complexity and does not require authentication or user interaction, broadening the attacker population significantly. Successful exploitation grants the attacker the privileges of the web server process running Dolibarr, exposing ERP records, customer data, and any credentials accessible to the application.
Root Cause
The root cause is a CWE-94 code injection pattern in the shared action handler. The handler constructs and evaluates PHP code from request parameters without enforcing a strict allow-list or escaping dangerous tokens. According to the GitHub Project Overview, this class of dol_eval related injection has been observed in Dolibarr code paths for several years.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to a Dolibarr endpoint that includes actions_addupdatedelete.inc.php in its execution flow. The request supplies parameter values that reach the evaluation routine and are interpreted as PHP code. Once executed, the attacker can read or modify ERP/CRM data, pivot to the database, or stage further intrusion. Detailed exploitation context is provided in the Dolibarr GitHub Security Advisory GHSA-grw9-6m4w-mhcq.
No verified public proof-of-concept code is included with this advisory. Refer to the vendor advisory for technical details on the vulnerable evaluation routine.
Detection Methods for CVE-2026-37711
Indicators of Compromise
- HTTP requests to Dolibarr endpoints carrying PHP language tokens such as system(, passthru(, phpinfo(, or backticks in POST or GET parameters.
- Unexpected child processes spawned by the PHP-FPM or Apache worker hosting Dolibarr, such as sh, bash, curl, or wget.
- New or modified PHP files inside the Dolibarr htdocs/ directory tree that were not deployed by an administrator.
- Outbound network connections from the Dolibarr web host to unfamiliar IP addresses shortly after suspicious POST traffic.
Detection Strategies
- Inspect web server access logs for POST requests targeting action handlers in htdocs/core/ with parameter values containing PHP function names or operators.
- Correlate web request logs with process creation telemetry to identify command execution originating from the PHP interpreter.
- Apply web application firewall (WAF) rules that flag code injection patterns against Dolibarr URIs.
Monitoring Recommendations
- Forward Dolibarr web server, PHP error, and host process telemetry to a centralized logging or SIEM platform for correlation.
- Alert on file integrity changes within the Dolibarr installation directory, especially additions of .php files outside scheduled upgrades.
- Monitor egress traffic from the Dolibarr server and alert on connections to non-business destinations following authentication-less POST activity.
How to Mitigate CVE-2026-37711
Immediate Actions Required
- Upgrade Dolibarr ERP/CRM to a fixed release published by the Dolibarr project as referenced in GHSA-grw9-6m4w-mhcq.
- Restrict network access to Dolibarr instances so they are not directly reachable from the public internet where business requirements allow.
- Audit the Dolibarr web root and database for signs of prior exploitation, including unexpected PHP files and administrative account changes.
- Rotate credentials stored in or accessible to the Dolibarr application, including database, SMTP, and API integration secrets.
Patch Information
The Dolibarr maintainers track the fix under advisory GHSA-grw9-6m4w-mhcq. Administrators should apply the upgrade documented in the Dolibarr GitHub Security Advisory and review the related background analysis in the dol_eval five years post before redeploying affected versions.
Workarounds
- Place Dolibarr behind a WAF and block requests containing PHP syntax tokens such as ;, backticks, or function names like system in parameters consumed by actions_addupdatedelete.inc.php.
- Enforce authentication and IP allow-listing at the reverse proxy for all Dolibarr URIs until patching is complete.
- Run the PHP interpreter for Dolibarr under a low-privilege account with disable_functions configured to remove exec, system, passthru, shell_exec, and proc_open where compatible with application features.
# Example php.ini hardening for the Dolibarr PHP pool
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
allow_url_include = Off
allow_url_fopen = Off
expose_php = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
