CVE-2026-7688 Overview
CVE-2026-7688 is a SQL injection vulnerability affecting Dolibarr ERP CRM versions up to 23.0.2. The flaw resides in the _checkValForAPI function within htdocs/expedition/class/expedition.class.php, part of the Shipments API Endpoint component. An authenticated remote attacker can manipulate the fields argument to inject SQL statements into backend queries. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Exploitation requires high attack complexity, and a public exploit has been disclosed. The vendor was contacted but did not respond to the disclosure.
Critical Impact
Remote authenticated attackers can inject SQL through the Shipments API fields parameter, potentially exposing or modifying ERP data stored in the underlying database.
Affected Products
- Dolibarr ERP CRM versions up to and including 23.0.2
- Component: Shipments API Endpoint (htdocs/expedition/class/expedition.class.php)
- Function: _checkValForAPI
Discovery Timeline
- 2026-05-03 - CVE-2026-7688 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7688
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied input passed to the _checkValForAPI routine in the Dolibarr Shipments API. The fields argument is incorporated into a downstream SQL query without sufficient sanitization or parameterization. This allows an attacker who has API access to inject crafted SQL fragments into queries executed against the ERP backend database.
Dolibarr exposes shipment-related data through REST API endpoints used by integrations and clients. When the API processes the fields parameter, the value is interpolated into the query construction path handled by _checkValForAPI in htdocs/expedition/class/expedition.class.php. Successful injection can lead to disclosure or modification of records the database user can access.
The issue carries a CVSS 4.0 base score of 1.3 with an EPSS probability of 0.021%, reflecting the high attack complexity and limited confidentiality, integrity, and availability impact. A public proof-of-concept exists, increasing the likelihood of opportunistic exploitation against unpatched instances.
Root Cause
The root cause is improper input neutralization [CWE-74]. The fields argument flows into SQL statement construction without strict allowlisting or prepared-statement binding. Any attacker-controlled value that bypasses validation logic in _checkValForAPI reaches the database engine as executable SQL syntax.
Attack Vector
The attack vector is network-based and requires low-privilege API authentication. An attacker submits crafted values for the fields argument to the Shipments API endpoint. The injected SQL is executed within the context of the Dolibarr database account. Exploitation complexity is high because the injection path requires precise field manipulation that survives the API's existing validation logic. The vulnerability mechanism is described in the VulDB Vulnerability #360858 advisory and accompanying VulDB CTI for #360858 report.
Detection Methods for CVE-2026-7688
Indicators of Compromise
- Unusual API requests to Dolibarr Shipments endpoints containing SQL metacharacters such as single quotes, UNION, SELECT, or comment sequences in the fields parameter.
- Unexpected database errors logged by the Dolibarr application referencing the expedition class or shipment queries.
- Authenticated API sessions issuing high volumes of shipment queries with anomalous parameter structures.
Detection Strategies
- Inspect web server and application logs for requests to the Shipments API where the fields parameter contains SQL syntax tokens or encoded variants.
- Deploy a web application firewall rule that flags SQL injection patterns specifically targeting Dolibarr API routes under /api/index.php/shipments.
- Correlate authenticated API activity with database query telemetry to identify queries that deviate from baseline shipment workflows.
Monitoring Recommendations
- Enable verbose logging for the Dolibarr REST API and forward logs to a centralized analytics platform for retention and search.
- Monitor outbound database errors and slow queries originating from the Dolibarr application user.
- Track API token usage patterns and alert on tokens issuing requests outside expected business hours or volumes.
How to Mitigate CVE-2026-7688
Immediate Actions Required
- Restrict access to the Dolibarr Shipments API to trusted networks and authenticated service accounts only.
- Audit existing API tokens and revoke any that are unused, shared, or assigned excessive privileges.
- Review database user permissions for Dolibarr to enforce least privilege, limiting impact of any successful injection.
Patch Information
No vendor patch has been published at the time of disclosure. The vendor was contacted but did not respond. Monitor the Dolibarr project for updates beyond version 23.0.2 and apply fixes for htdocs/expedition/class/expedition.class.php once available. Refer to the VulDB Submission #799337 for ongoing tracking.
Workarounds
- Place the Dolibarr application behind a web application firewall configured to block SQL injection patterns on the Shipments API.
- Disable the Shipments API module if it is not in active use within the deployment.
- Apply input validation at a reverse proxy layer to allowlist expected fields parameter values before they reach the application.
# Example WAF rule (ModSecurity) blocking SQL tokens in the fields parameter
SecRule ARGS:fields "@rx (?i)(union\s+select|--|;|/\*|\bor\b\s+\d+=\d+)" \
"id:1026788,phase:2,deny,status:403,msg:'Possible SQLi targeting Dolibarr Shipments API (CVE-2026-7688)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
