CVE-2026-33289

HIGH

SuiterCRM has LDAP Filter Injection in Authentication Module

Title source: cna

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.

References (2)

[X_Refsource_Confirm] https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599

[X_Refsource_Misc] https://docs.suitecrm.com/admin/releases/7.15.x

Scores

CVSS v3 8.8

EPSS 0.0010

EPSS Percentile 27.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-90

Status published

Products (3)

suitecrm/suitecrm < 7.15.1

SuiteCRM/SuiteCRM < 7.15.1

SuiteCRM/SuiteCRM >= 8.0.0, < 8.9.3

Published Mar 20, 2026

Tracked Since Mar 20, 2026