Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an SQL Injection in SuiteCRM’s authentication module that occurs when directory support is enabled. The application fails to sanitize the user-supplied username before it is used in a local database query. An attacker with valid, low-privilege directory credentials can insert malicious SQL and execute arbitrary commands, effectively gaining full administrative access to the CRM system.

Affected Systems

Installations of SuiteCRM running versions before 7.15.1 and 8.9.3 are affected. The flaw lies in the authentication handling for directory-enabled logins and applies to any deployment of those unpatched versions.

Risk and Exploitability

The CVSS base score of 8.8 marks this issue as high severity, while an EPSS score of less than 1% indicates low current exploit probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack path requires an attacker to first authenticate with low-privilege directory credentials and then craft a username that triggers the injection; once successful, the attacker can run any SQL statements allowed by the database user, effectively taking over the system.

Generated by OpenCVE AI on March 23, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SuiteCRM 7.15.1 or 8.9.3 patch recommended by the vendor
  • If upgrading is not immediately possible, disable directory support in the authentication configuration to eliminate the injection vector
  • Confirm that username input is properly sanitized, for example by testing with known injection payloads
  • Continuously monitor suite log files for abnormal database activity or execution of unexpected queries

Generated by OpenCVE AI on March 23, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM has Authenticated SQL Injection in Authentication Module
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:09:17.763Z

Reserved: 2026-03-18T18:55:47.426Z

Link: CVE-2026-33288

cve-icon Vulnrichment

Updated: 2026-03-20T16:58:32.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T00:16:18.470

Modified: 2026-03-23T16:56:51.460

Link: CVE-2026-33288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:03Z

Weaknesses