CVE-2026-32697
Improper Access Control in SuiteCRM getRecord() Allows Data Exposure
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suitecrm | suitecrm | to 8.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32697 is an authorization bypass vulnerability in SuiteCRM versions up to 8.9.2. The issue occurs because the method RecordHandler::getRecord() retrieves records by module and ID without checking if the current user has permission to view the record (ACLAccess('view')). This means any authenticated user with basic privileges can access any record's data without proper authorization."}, {'type': 'paragraph', 'content': 'While the saveRecord() method correctly enforces permission checks for saving records, getRecord() skips the equivalent view permission check, allowing unauthorized read access through REST API or GraphQL queries.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to a high confidentiality loss because unauthorized users can read any record in the SuiteCRM system without proper permissions. Attackers with low privileges can access sensitive data across modules, bypassing all access control mechanisms such as Security Groups, Roles, and Team-based access controls.
There is no impact on data integrity or availability, but the unauthorized disclosure of sensitive information can have serious consequences depending on the data stored in the CRM.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized access attempts to SuiteCRM records via the REST API or GraphQL queries that bypass ACL view permission checks.'}, {'type': 'paragraph', 'content': 'Specifically, look for API requests such as GET /api/record/{id}?module={module} made by authenticated users with low privileges (ROLE_USER) that should not have access to certain records.'}, {'type': 'paragraph', 'content': 'Commands to detect such activity could include network traffic inspection or web server log analysis filtering for these API endpoints.'}, {'type': 'list_item', 'content': 'Use tools like tcpdump or Wireshark to capture HTTP GET requests to /api/record/ endpoints.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep '/api/record/'"}, {'type': 'list_item', 'content': "Analyze web server access logs (e.g., Apache or Nginx) with grep or similar tools: grep '/api/record/' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Check for unusual access patterns by low-privilege users accessing records they should not view.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SuiteCRM to version 8.9.3 or later, where the vulnerability is patched.
Until the upgrade can be applied, restrict access to the REST API and GraphQL endpoints to trusted users only, and monitor for suspicious access attempts.
Additionally, review and tighten network access controls and authentication mechanisms to limit exposure.