Critical 9.4 CVSS Flaw Leaves Dolibarr ERP Open to RCE

A security vulnerability has been identified in Dolibarr ERP & CRM, a popular open-source suite used by organizations worldwide to manage business activities ranging from invoices to human resources. The flaw, tracked as CVE-2026-23500, carries a CVSS score of 9.4, representing a critical risk of Remote Code Execution (RCE).

The security gap resides within the application’s document conversion logic, specifically in the file htdocs/includes/odtphp/odf.php. When Dolibarr attempts to convert an ODT document (such as a proposal or invoice) into a PDF, it relies on a global configuration constant named MAIN_ODT_AS_PDF to construct a shell command.

While the application properly sanitizes the output filename, it fails to perform the same level of validation on the MAIN_ODT_AS_PDF variable itself. As the report details:

“This vulnerability exists because the application fails to properly validate or escape the command path before passing it to the exec() function in the ODT to PDF conversion process”.

An authenticated administrator—or an attacker who has compromised an admin account—can exploit this by injecting a malicious payload into the MAIN_ODT_AS_PDF constant via the database. By appending a command separator (such as a semicolon), an adversary can execute arbitrary operating system commands with the privileges of the web server user.

The impact of a successful exploit is absolute. According to the analysis, it allows for:

• Sensitive Data Theft: Reading configuration files to steal database credentials.
• Integrity Loss: Directly modifying the application’s source code.
• Full System Takeover: Potential for a full system compromise, including pivoting through the network or escaping containerized environments like Docker.

The vulnerability affects all versions of Dolibarr ERP & CRM up to and including version 22.0.4. To mitigate the risk, administrators are urged to transition to version 23.0, which contains the necessary patches to properly validate configuration constants before they reach the execution layer.