CVE-2026-33288
Received Received - Intake
SQL Injection in SuiteCRM Authentication Enables Privilege Escalation

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33288
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33288 is a high-severity SQL Injection vulnerability found in the authentication module of SuiteCRM versions up to 7.15.0 when directory support is enabled.

The vulnerability occurs because the application does not properly sanitize the user-supplied username before using it in a local database query.

An attacker with valid, low-privilege directory credentials can exploit this flaw to execute arbitrary SQL commands.

This can lead to complete privilege escalation, such as logging in as the CRM Administrator.

Impact Analysis

Exploiting this vulnerability allows an attacker to execute arbitrary SQL commands within the SuiteCRM database.

This can result in complete privilege escalation, enabling the attacker to gain administrator-level access.

The impact on confidentiality, integrity, and availability is high, meaning unauthorized users can access sensitive data, modify it, and disrupt services.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves SQL Injection in the SuiteCRM authentication module when directory support is enabled. Detection typically involves monitoring for unusual authentication attempts or SQL errors related to username input.

Since the vulnerability arises from improper sanitization of the username field, detection can include checking logs for suspicious SQL syntax or injection patterns in authentication requests.

Specific commands are not provided in the resources, but common approaches include using web application firewalls (WAF) to detect SQL injection patterns or running database query logs to identify anomalous queries involving the username field.

Mitigation Strategies

The primary mitigation step is to upgrade SuiteCRM to version 7.15.1 or later, as these versions contain the patch that fixes the SQL Injection vulnerability.

Additionally, if directory support is not required, disabling it can reduce the attack surface.

Implementing input validation and sanitization on the username field, as well as deploying a web application firewall to detect and block SQL injection attempts, can provide further protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33288. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart