CVE-2026-33288
SQL Injection in SuiteCRM Authentication Enables Privilege Escalation
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suitecrm | suitecrm | to 7.15.1 (exc) |
| suitecrm | suitecrm | From 8.0.0 (inc) to 8.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33288 is a high-severity SQL Injection vulnerability found in the authentication module of SuiteCRM versions up to 7.15.0 when directory support is enabled.
The vulnerability occurs because the application does not properly sanitize the user-supplied username before using it in a local database query.
An attacker with valid, low-privilege directory credentials can exploit this flaw to execute arbitrary SQL commands.
This can lead to complete privilege escalation, such as logging in as the CRM Administrator.
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker to execute arbitrary SQL commands within the SuiteCRM database.
This can result in complete privilege escalation, enabling the attacker to gain administrator-level access.
The impact on confidentiality, integrity, and availability is high, meaning unauthorized users can access sensitive data, modify it, and disrupt services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL Injection in the SuiteCRM authentication module when directory support is enabled. Detection typically involves monitoring for unusual authentication attempts or SQL errors related to username input.
Since the vulnerability arises from improper sanitization of the username field, detection can include checking logs for suspicious SQL syntax or injection patterns in authentication requests.
Specific commands are not provided in the resources, but common approaches include using web application firewalls (WAF) to detect SQL injection patterns or running database query logs to identify anomalous queries involving the username field.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade SuiteCRM to version 7.15.1 or later, as these versions contain the patch that fixes the SQL Injection vulnerability.
Additionally, if directory support is not required, disabling it can reduce the attack surface.
Implementing input validation and sanitization on the username field, as well as deploying a web application firewall to detect and block SQL injection attempts, can provide further protection.