Skip to main content
CVE Vulnerability Database

CVE-2026-7688: Dolibarr ERP CRM SQL Injection Vulnerability

CVE-2026-7688 is a SQL injection flaw in Dolibarr ERP CRM affecting versions up to 23.0.2 through the Shipments API endpoint. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-7688 Overview

CVE-2026-7688 is a SQL injection vulnerability affecting Dolibarr ERP CRM versions up to 23.0.2. The flaw resides in the _checkValForAPI function within htdocs/expedition/class/expedition.class.php, part of the Shipments API Endpoint component. An authenticated remote attacker can manipulate the fields argument to inject SQL statements into backend queries. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Exploitation requires high attack complexity, and a public exploit has been disclosed. The vendor was contacted but did not respond to the disclosure.

Critical Impact

Remote authenticated attackers can inject SQL through the Shipments API fields parameter, potentially exposing or modifying ERP data stored in the underlying database.

Affected Products

  • Dolibarr ERP CRM versions up to and including 23.0.2
  • Component: Shipments API Endpoint (htdocs/expedition/class/expedition.class.php)
  • Function: _checkValForAPI

Discovery Timeline

  • 2026-05-03 - CVE-2026-7688 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-7688

Vulnerability Analysis

The vulnerability stems from improper neutralization of user-supplied input passed to the _checkValForAPI routine in the Dolibarr Shipments API. The fields argument is incorporated into a downstream SQL query without sufficient sanitization or parameterization. This allows an attacker who has API access to inject crafted SQL fragments into queries executed against the ERP backend database.

Dolibarr exposes shipment-related data through REST API endpoints used by integrations and clients. When the API processes the fields parameter, the value is interpolated into the query construction path handled by _checkValForAPI in htdocs/expedition/class/expedition.class.php. Successful injection can lead to disclosure or modification of records the database user can access.

The issue carries a CVSS 4.0 base score of 1.3 with an EPSS probability of 0.021%, reflecting the high attack complexity and limited confidentiality, integrity, and availability impact. A public proof-of-concept exists, increasing the likelihood of opportunistic exploitation against unpatched instances.

Root Cause

The root cause is improper input neutralization [CWE-74]. The fields argument flows into SQL statement construction without strict allowlisting or prepared-statement binding. Any attacker-controlled value that bypasses validation logic in _checkValForAPI reaches the database engine as executable SQL syntax.

Attack Vector

The attack vector is network-based and requires low-privilege API authentication. An attacker submits crafted values for the fields argument to the Shipments API endpoint. The injected SQL is executed within the context of the Dolibarr database account. Exploitation complexity is high because the injection path requires precise field manipulation that survives the API's existing validation logic. The vulnerability mechanism is described in the VulDB Vulnerability #360858 advisory and accompanying VulDB CTI for #360858 report.

Detection Methods for CVE-2026-7688

Indicators of Compromise

  • Unusual API requests to Dolibarr Shipments endpoints containing SQL metacharacters such as single quotes, UNION, SELECT, or comment sequences in the fields parameter.
  • Unexpected database errors logged by the Dolibarr application referencing the expedition class or shipment queries.
  • Authenticated API sessions issuing high volumes of shipment queries with anomalous parameter structures.

Detection Strategies

  • Inspect web server and application logs for requests to the Shipments API where the fields parameter contains SQL syntax tokens or encoded variants.
  • Deploy a web application firewall rule that flags SQL injection patterns specifically targeting Dolibarr API routes under /api/index.php/shipments.
  • Correlate authenticated API activity with database query telemetry to identify queries that deviate from baseline shipment workflows.

Monitoring Recommendations

  • Enable verbose logging for the Dolibarr REST API and forward logs to a centralized analytics platform for retention and search.
  • Monitor outbound database errors and slow queries originating from the Dolibarr application user.
  • Track API token usage patterns and alert on tokens issuing requests outside expected business hours or volumes.

How to Mitigate CVE-2026-7688

Immediate Actions Required

  • Restrict access to the Dolibarr Shipments API to trusted networks and authenticated service accounts only.
  • Audit existing API tokens and revoke any that are unused, shared, or assigned excessive privileges.
  • Review database user permissions for Dolibarr to enforce least privilege, limiting impact of any successful injection.

Patch Information

No vendor patch has been published at the time of disclosure. The vendor was contacted but did not respond. Monitor the Dolibarr project for updates beyond version 23.0.2 and apply fixes for htdocs/expedition/class/expedition.class.php once available. Refer to the VulDB Submission #799337 for ongoing tracking.

Workarounds

  • Place the Dolibarr application behind a web application firewall configured to block SQL injection patterns on the Shipments API.
  • Disable the Shipments API module if it is not in active use within the deployment.
  • Apply input validation at a reverse proxy layer to allowlist expected fields parameter values before they reach the application.
bash
# Example WAF rule (ModSecurity) blocking SQL tokens in the fields parameter
SecRule ARGS:fields "@rx (?i)(union\s+select|--|;|/\*|\bor\b\s+\d+=\d+)" \
    "id:1026788,phase:2,deny,status:403,msg:'Possible SQLi targeting Dolibarr Shipments API (CVE-2026-7688)'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.