CVE-2026-58376 Overview
CVE-2026-58376 is a SQL injection vulnerability [CWE-89] in Dolibarr ERP/CRM through version 23.0.3. The flaw resides in the sqlfilters query parameter handling within the setup dictionary and multicurrencies REST API endpoints. Authenticated API users can exfiltrate arbitrary database contents, including password hashes and API keys, by injecting malicious SQL through this parameter. The vulnerability is fixed in commit 14db36e.
Critical Impact
Authenticated attackers can extract sensitive data such as password hashes and API keys from the underlying database by appending UNION SELECT statements to the sqlfilters parameter.
Affected Products
- Dolibarr ERP/CRM through 23.0.3
- htdocs/api/class/api_setup.class.php endpoint
- htdocs/multicurrency/class/api_multicurrencies.class.php endpoint
Discovery Timeline
- 2026-06-30 - CVE-2026-58376 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-58376
Vulnerability Analysis
Dolibarr exposes REST API list endpoints that accept a sqlfilters query parameter. This parameter is intended to accept structured filter triplets wrapped in parentheses. The affected endpoints validate sqlfilters only for balanced parentheses, then rewrite matched triplets using a regular expression callback. Any text placed outside the expected triplet shape passes through unmodified and is concatenated directly into the SQL WHERE clause.
An authenticated attacker can append arbitrary SQL, including UNION SELECT statements, to extract data from any table accessible to the database user. Retrieved data includes user credential hashes and API tokens, enabling lateral movement and account takeover.
Root Cause
The root cause is insufficient input validation in the _checkFilters routine. The prior implementation only confirmed parenthesis balance and applied preg_replace_callback against a triplet pattern. Content that did not match the triplet regex was preserved verbatim and joined into the query string. The remediation replaces this pattern with forgeSQLFromUniversalSearchCriteria, which parses and sanitizes the entire filter expression before it reaches the SQL layer.
Attack Vector
Exploitation requires valid API credentials but no elevated privileges. The attacker issues an HTTP GET request to a vulnerable list endpoint and supplies a crafted sqlfilters value. The payload keeps parentheses balanced while embedding a UNION SELECT clause targeting sensitive tables such as llx_user. The database returns attacker-selected columns in the API response.
// Vulnerable pattern removed by the patch (api_setup.class.php and api_multicurrencies.class.php)
if ($sqlfilters) {
$errormessage = '';
- if (!DolibarrApi::_checkFilters($sqlfilters, $errormessage)) {
+ $sql .= forgeSQLFromUniversalSearchCriteria($sqlfilters, $errormessage);
+ if ($errormessage) {
throw new RestException(400, 'Error when validating parameter sqlfilters -> '.$errormessage);
}
- $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^\(\)]+)\)';
- $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")";
}
$sql .= $this->db->order($sortfield, $sortorder);
Source: GitHub Commit 14db36e
Detection Methods for CVE-2026-58376
Indicators of Compromise
- HTTP requests to Dolibarr API endpoints containing sqlfilters= values with SQL keywords such as UNION, SELECT, FROM, or INFORMATION_SCHEMA.
- API access logs referencing /api/index.php/setup/dictionary/* or /api/index.php/multicurrencies with abnormally large response payloads.
- Unexpected reads against sensitive tables such as llx_user, llx_user_rights, or API key storage tables in database audit logs.
Detection Strategies
- Inspect web server and reverse proxy logs for sqlfilters parameter values containing SQL syntax outside the documented (field:operator:value) triplet format.
- Enable MySQL/MariaDB general query logging temporarily to correlate API requests with UNION-based queries against Dolibarr tables.
- Deploy a Web Application Firewall (WAF) rule that blocks sqlfilters values containing whitespace-separated SQL keywords.
Monitoring Recommendations
- Alert on repeated HTTP 200 responses to Dolibarr list endpoints where response size deviates significantly from baseline.
- Track authentication events for API tokens issued after the disclosure date and flag tokens exercising list endpoints with atypical parameters.
- Monitor for enumeration patterns such as sequential requests probing different table or column names in the sqlfilters parameter.
How to Mitigate CVE-2026-58376
Immediate Actions Required
- Upgrade Dolibarr to a release containing commit 14db36e or later.
- Rotate all Dolibarr user passwords and API keys, since disclosed credentials must be considered compromised.
- Restrict API access to trusted networks using firewall rules or reverse proxy allowlists until patching completes.
- Review database audit logs for evidence of prior exploitation targeting llx_user and related tables.
Patch Information
The vendor fix is available in commit 14db36e. The patch replaces the flawed _checkFilters validation with forgeSQLFromUniversalSearchCriteria, which properly parses and rejects malformed filter expressions. See the GitHub Pull Request #38794 and the VulnCheck SQL Injection Advisory for additional context.
Workarounds
- Disable the REST API module in Dolibarr configuration if it is not required for business operations.
- Deploy a WAF rule that rejects requests containing sqlfilters values with SQL keywords such as UNION, SELECT, --, or /*.
- Restrict database user privileges granted to the Dolibarr application account, limiting the scope of data reachable through injection.
# Example WAF rule (ModSecurity) blocking SQL keywords in the sqlfilters parameter
SecRule ARGS:sqlfilters "@rx (?i)(union[\s/*]+select|information_schema|--|/\*)" \
"id:1026583,phase:2,deny,status:403,log,msg:'CVE-2026-58376 sqlfilters SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

