Remote Code Execution Vulnerability in Dolibarr ERP Software
CVE-2026-23500
What is CVE-2026-23500?
CVE-2026-23500 is a serious vulnerability affecting Dolibarr, an open-source enterprise resource planning (ERP) and customer relationship management (CRM) software package. This vulnerability arises from a flaw in the ODT to PDF conversion process, specifically in the odf.php file. The vulnerability allows an authenticated administrator to execute arbitrary operating system commands through unsanitized input. By manipulating the MAIN_ODT_AS_PDF configuration constant, an attacker could potentially achieve remote code execution as the web server user when generating ODT templates.
The implications of this vulnerability are significant for organizations using Dolibarr, as it exposes them to considerable security risks. If exploited, attackers could gain unauthorized control over the web server, leading to further compromise of sensitive organizational data and infrastructure.
Potential Impact of CVE-2026-23500
-
Unauthorized Remote Code Execution: Attackers could execute arbitrary commands on the server, leading to complete system compromise. This can enable further intrusion into the network, data theft, or installation of malware.
-
Data Breaches: With the ability to execute commands, attackers may access, alter, or exfiltrate sensitive data stored within the Dolibarr application. Such breaches could result in significant financial losses and damage to an organization’s reputation.
-
Operational Disruption: The exploitation of this vulnerability might lead to downtime or degraded performance of the ERP system, disrupting business operations. This impact could affect an organization's productivity and service delivery, leading to potential revenue loss.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
dolibarr < 23.0.0