CVE-2026-34036 MEDIUM

CVE-2026-34036: Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Vendor Dolibarr

Product dolibarr

Weakness CWE-98 · PHP file inclusion

Published March 31, 2026

Last update March 31, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.

Key dates

Disclosure timeline

March 31, 2026 CVE published

March 31, 2026 Record updated