CVE-2026-10215 Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization

🗓️ 01 Jun 2026 02:15:09Reported by VulDBType

CVE-2026-10215 Dolibarr Leave Request API improper authorization via access check; upgrade to 23.0.2.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-10215	1 Jun 202602:15	–	attackerkb
CNNVD	Dolibarr ERP CRM 授权问题漏洞	1 Jun 202600:00	–	cnnvd
CVE	CVE-2026-10215	1 Jun 202602:15	–	cve
EUVD	EUVD-2026-33536	1 Jun 202602:15	–	euvd
NVD	CVE-2026-10215	1 Jun 202603:16	–	nvd
Positive Technologies	PT-2026-45247	1 Jun 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-10215	3 Jun 202622:01	–	redhatcve
Vulnrichment	CVE-2026-10215 Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization	1 Jun 202602:15	–	vulnrichment

[
  {
    "vendor": "Dolibarr",
    "product": "ERP CRM",
    "versions": [
      {
        "version": "23.0.0",
        "status": "affected"
      },
      {
        "version": "23.0.1",
        "status": "affected"
      },
      {
        "version": "23.0.2",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:2.3:a:dolibarr:erp_crm:*:*:*:*:*:*:*:*"
    ],
    "modules": [
      "Leave Request REST API"
    ]
  }
]

Source	Link
vuldb	www.vuldb.com/vuln/367494
github	www.github.com/Dolibarr/dolibarr/commit/ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73
github	www.github.com/Dolibarr/dolibarr/issues/37752
github	www.github.com/user-attachments/files/26487388/2_Dolibarr_Leave_Request_API_Horizontal_Unauthorized_Read_en.pdf
github	www.github.com/Dolibarr/dolibarr/releases/tag/23.0.2
github	www.github.com/Dolibarr/dolibarr/issues/37752
vuldb	www.vuldb.com/cve/CVE-2026-10215
vuldb	www.vuldb.com/vuln/367494/cti
vuldb	www.vuldb.com/submit/821930

01 Jun 2026 02:15Current

CVSS 24

CVSS 3.14.3

CVSS 34.3

CVSS 45.3

EPSS0.00259