Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure via IDOR
Action: Immediate patch
AI Analysis

Impact

The vulnerability arises because the RecordHandler::getRecord() method in SuiteCRM bypasses the ACLAccess('view') check that would normally restrict which records an authenticated user can view. An attacker who is logged in can request any record by module and ID, effectively bypassing all access control for read operations. This permits the disclosure of confidential customer or business data, compromising the confidentiality of the organization’s information resources.

Affected Systems

Vulnerable instances are all SuiteCRM Core versions released before 8.9.3, regardless of the module or record type. The issue is specific to the SuiteCRM core component and affects all authenticated users who have login access to the application. Version 8.9.3 and later include a patch that restores the correct ACL check.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity, while the EPSS of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which further indicates that no publicly known exploits exist. The attack vector is inferred to be authenticated, as the exploit requires the user to be logged in. Once authenticated, an attacker can read any record, leading to potential data leakage across the organization.

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current SuiteCRM Core version installed.
  • If the version is older than 8.9.3, upgrade immediately to SuiteCRM Core 8.9.3 or a later release that includes the fix.

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
Title SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:04:17.239Z

Reserved: 2026-03-13T14:33:42.822Z

Link: CVE-2026-32697

cve-icon Vulnrichment

Updated: 2026-03-20T20:04:13.383Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:16.600

Modified: 2026-03-23T16:42:53.120

Link: CVE-2026-32697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:34Z

Weaknesses