CVE-2026-10215

Source
https://cve.org/CVERecord?id=CVE-2026-10215
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10215.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10215
Aliases
Published
2026-06-01T02:15:09.249Z
Modified
2026-07-08T08:12:22.767572153Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization
Details

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10215.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-266",
        "CWE-285"
    ]
}
References

Affected packages

Git / github.com/dolibarr/dolibarr

Affected ranges

Type
GIT
Repo
https://github.com/dolibarr/dolibarr
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "23.0.0"
        },
        {
            "last_affected": "23.0.0"
        },
        {
            "introduced": "23.0.1"
        },
        {
            "last_affected": "23.0.1"
        }
    ]
}

Affected versions

23.*
23.0.0
23.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10215.json"