CVE-2026-33288

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.suitecrm.com/admin/releases/7.15.x	Release Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:suitecrm:suitecrm::::::::
	cpe:2.3:a:suitecrm:suitecrm::::::::

History

No history.

Information

Published : 2026-03-20 00:16

Updated : 2026-03-23 16:56

NVD link : CVE-2026-33288

Mitre link : CVE-2026-33288

CVE.ORG link : CVE-2026-33288

JSON object : View

Products Affected

suitecrm

suitecrm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33288", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T00:16:18.470", "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de gesti\u00f3n de relaciones con clientes (CRM) de c\u00f3digo abierto y lista para empresas. Prior a las versiones 7.15.1 y 8.9.3, existe una vulnerabilidad de inyecci\u00f3n SQL en los mecanismos de autenticaci\u00f3n de SuiteCRM cuando el soporte de directorio est\u00e1 habilitado. La aplicaci\u00f3n no logra sanear correctamente el nombre de usuario proporcionado por el usuario antes de usarlo en una consulta de base de datos local. Un atacante con credenciales de directorio v\u00e1lidas y de bajo privilegio puede explotar esto para ejecutar comandos SQL arbitrarios, lo que lleva a una escalada de privilegios completa (por ejemplo, iniciar sesi\u00f3n como el Administrador de CRM). Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "lastModified": "2026-03-23T16:56:51.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99", "versionEndExcluding": "7.15.1"}, {"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}