External risk intelligence

Dolibarr administrator account can be taken over by attackers via a command injection flaw

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-23500

An internal attacker with administrative access to Dolibarr can modify document settings to run unauthorized commands on the server. This allows them to gain full server control, potentially leading to the theft of sensitive business data and further unauthorized activity on the network.

2Halo Surface Signal

OS Command Injection

Dolibarr Erp\/crm

before 23.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-23500

This vulnerability requires authentication with administrative privileges to modify system configuration settings. Although Dolibarr is a web-based application, administrative interfaces and configuration functions are generally protected by internal network controls or VPNs. Consequently, this specific attack surface is unlikely to be exposed directly to the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an authenticated administrator to execute arbitrary operating system commands by manipulating a configuration setting used in the ODT to PDF conversion process. This could lead to a complete compromise of the web server.

  • Takeover of the server.
  • Affects Dolibarr ERP/CRM.
  • Requires admin access.

Attack Path

How an attacker could exploit the issue

An authenticated administrator could exploit this vulnerability by manipulating the ODT to PDF conversion setting to inject operating system commands. This could allow them to execute arbitrary code on the server as the web server user, enabling further compromise of the system or data exfiltration.

  • Requires admin access.
  • Exploit via ODT template settings.
  • Unsanitized command injection.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows authenticated administrators to execute arbitrary OS commands by injecting them into a shell command that converts ODT to PDF. Attackers prefer vulnerabilities that are easier to exploit and don't require prior access or elevated privileges. While this flaw is critical, the authenticated administrator prerequisite limits its immediate appeal for widespread automated exploitation campaigns.

  • Requires administrator access.
  • No public exploit code observed.
  • Fix is available.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Dolibarr ERP/CRM to version 23.0.0 to fix the critical remote code execution vulnerability. If immediate patching is not feasible, isolate affected systems to prevent exploitation until a fix can be applied.

  • Patch Dolibarr to 23.0.0.
  • Isolate vulnerable Dolibarr instances.
  • Monitor logs for suspicious ODT template generation.

Frequently asked questions

What is Dolibarr ERP/CRM and what is it used for?

Dolibarr is a software package used for enterprise resource planning (ERP) and customer relationship management (CRM). It helps businesses manage various aspects of their operations, including customer interactions and internal resources.

What is CVE-2026-23500 and what kind of weakness does it represent?

CVE-2026-23500 is a critical vulnerability in Dolibarr that allows for remote code execution. The weakness is a command injection flaw, specifically CWE-78, where unsanitized input is used in a system command.

How can an attacker trigger the vulnerability in Dolibarr?

An attacker who already has administrator access to Dolibarr can trigger this vulnerability. They need to manipulate the ODT to PDF conversion setting, which is processed insecurely, to inject operating system commands. Generating any ODT template can lead to exploitation.

Who should be concerned about this Dolibarr vulnerability?

Organizations using Dolibarr ERP/CRM with administrative accounts should be concerned. While the vulnerability requires authentication, the fact that it can be triggered through web-based administrative functions means it's relevant if those administrative interfaces could potentially be accessed, even if indirectly.

What is the first step to respond to this CVE in Dolibarr?

The most important first step is to update Dolibarr to version 23.0.0 or later. This version includes the fix for the command injection vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified