CVE-2026-37712: Dolibarr ERP/CRM RCE Vulnerability

CVE-2026-37712 Overview

CVE-2026-37712 is a remote code execution vulnerability in Dolibarr ERP/CRM affecting versions 22.0.0 through 22.0.4 and 24.0.0-alpha. The flaw resides in htdocs/cron/class/cronjob.class.php, where the call_user_func_array() PHP function is invoked against attacker-influenced input within the job type handling logic. An authenticated remote attacker with access to the cron job configuration can execute arbitrary PHP code on the underlying server.

Critical Impact

Successful exploitation grants attackers arbitrary code execution within the Dolibarr web application context, enabling full compromise of business data, customer records, and the hosting server.

Affected Products

• Dolibarr ERP/CRM v22.0.0 through v22.0.4
• Dolibarr ERP/CRM v24.0.0-alpha
• Deployments using the cron module (htdocs/cron/class/cronjob.class.php)

Discovery Timeline

• 2026-05-27 - CVE-2026-37712 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-37712

Vulnerability Analysis

The vulnerability stems from unsafe use of PHP's call_user_func_array() in the cron job class. Dolibarr permits administrators to define scheduled tasks with a configurable job type, class, method, and parameters. When the cron scheduler processes a job, it passes user-controlled values to call_user_func_array() without sufficient allowlisting of permitted callbacks.

This condition falls under Code Injection. Because the function name and arguments are sourced from the cron job record, an attacker who can create or modify cron entries can pivot from configuration access to direct PHP function invocation. The Bryamzxz analysis describes this as a recurrence of long-standing evaluation issues in the dol_eval family of helpers used by Dolibarr.

Root Cause

The root cause is missing validation of callable identifiers passed to a dynamic dispatch function. call_user_func_array($function, $args) will invoke any function reachable by name, including dangerous primitives such as system, exec, passthru, or assert, when the first argument is not constrained to a vetted allowlist.

Attack Vector

An attacker authenticates to a Dolibarr instance with permissions to create or edit cron jobs. They craft a job whose type triggers the call_user_func_array() code path and supply a function name plus argument array. When the cron scheduler executes, or when the attacker triggers manual execution, the chosen function runs with the privileges of the PHP process. The attacker then drops a webshell, exfiltrates database credentials from conf.php, or pivots into the host operating system.

No verified public proof-of-concept code is included in the references. Technical write-up details are available in the Bryamzxz Blog Analysis and the GitHub Security Advisory GHSA-c2jp-w9cj-6cx4.

Detection Methods for CVE-2026-37712

Indicators of Compromise

• New or modified rows in the llx_cronjob database table containing unusual function names such as system, exec, shell_exec, passthru, or assert.
• PHP-FPM or Apache child processes spawning OS shells (/bin/sh, bash, cmd.exe) as descendants of the Dolibarr web server.
• Outbound network connections initiated by the web server to unfamiliar hosts shortly after cron execution windows.
• Newly created files under htdocs/ with PHP extensions and recent modification timestamps not associated with deployment activity.

Detection Strategies

• Review Dolibarr cron job definitions for entries whose class, method, or parameter fields reference PHP language built-ins rather than legitimate Dolibarr classes.
• Hunt for process-tree anomalies where the web server user executes shell utilities, curl, wget, or compilers.
• Correlate authentication logs with cron job creation events to identify administrative accounts modifying scheduled tasks outside change windows.

Monitoring Recommendations

• Enable PHP disable_functions audit logging where supported and alert on attempts to invoke restricted functions.
• Forward Dolibarr application logs and web server access logs to a central SIEM, focusing on /htdocs/cron/ endpoints.
• Monitor file integrity on the Dolibarr installation directory to detect webshell drops following cron execution.

How to Mitigate CVE-2026-37712

Immediate Actions Required

• Upgrade Dolibarr to a patched release beyond 22.0.4 as referenced in the GitHub Security Advisory GHSA-c2jp-w9cj-6cx4. Avoid the 24.0.0-alpha build in production.
• Audit all existing cron job entries and remove any that reference unexpected functions or classes.
• Rotate database credentials and API keys stored in conf.php if compromise is suspected.

Patch Information

The Dolibarr maintainers published advisory GHSA-c2jp-w9cj-6cx4 addressing the unsafe call_user_func_array() invocation in htdocs/cron/class/cronjob.class.php. Apply the fixed upstream version and rebuild any forks or customized deployments against the patched source tree.

Workarounds

• Restrict cron job management privileges to a minimal set of trusted administrators by tightening the Dolibarr permission model.
• Disable the cron module entirely if scheduled tasks are not required for the deployment.
• Configure PHP disable_functions to block system, exec, passthru, shell_exec, proc_open, and assert for the Dolibarr execution context.

# Example PHP hardening for the Dolibarr web context
# /etc/php/8.x/fpm/pool.d/dolibarr.conf
php_admin_value[disable_functions] = system,exec,passthru,shell_exec,proc_open,popen,assert,pcntl_exec
php_admin_value[open_basedir] = /var/www/dolibarr/:/tmp/