Security researcher Jiva has discovered a zero-day vulnerability in Dolibarr 23.0.0 that permits authenticated administrators to execute arbitrary PHP code on the server. The flaw, tracked as CVE-2026-22666, resides in the application's expression evaluation engine.
Dolibarr, a widely used open-source ERP/CRM platform, utilizes a function called `dol_eval()` to process computed extrafields. These fields allow administrators to run PHP expressions to dynamically display data. While developers implemented a sandbox via `dol_eval_standard()` to prevent malicious input, the researcher found a critical bypass in the validation logic.
A flawed whitelist implementation
The vulnerability stems from a logic error in how the software handles its security modes. The `dol_eval_standard()` function contains two separate validation paths based on a global configuration variable. While the function defines a list of forbidden strings—including dangerous classes like `SplFileObject`—the code that actually scans for these patterns only runs when the system is in 'blacklist mode.'
In the default 'whitelist mode,' the system only checks function calls against a permitted list. This leaves the engine vulnerable to any command that does not use a forbidden function name but still executes malicious logic. Jiva noted that the whitelist branch fails to apply the character-level and pattern-level checks present in the blacklist branch.
By exploiting this oversight, an attacker with administrative credentials can bypass the sandbox. In some cases, the researcher found that the vulnerability could be exploited on default deployments without any credential guessing, provided the target installation used default administrative credentials.
No patch was immediately available at the time of the report. Organizations using Dolibarr 23.0.0 are advised to review their administrative access controls and monitor for unauthorized configuration changes.
