Home

Description

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.

PUBLISHED Reserved 2026-06-30 | Published 2026-06-30 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

Any version
affected

14db36e8486ef725b0d493d97abb2950a54358d3 (git)
unaffected

Credits

George Chen finder

References

github.com/Dolibarr/dolibarr/issues/38768 (Researcher Disclosure) exploit technical-description

github.com/Dolibarr/dolibarr/pull/38794 (Fix PR) issue-tracking

github.com/...ommit/14db36e8486ef725b0d493d97abb2950a54358d3 (Fix Commit) patch

www.vulncheck.com/...ter-in-multiple-rest-api-list-endpoints third-party-advisory

cve.org (CVE-2026-58376)

nvd.nist.gov (CVE-2026-58376)

Download JSON