CVE-2026-33289

High

Published: 20 March 2026

Published

20 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the…

LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied input before embedding into LDAP search filters, directly preventing LDAP injection for authentication bypass or disclosure.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws like this LDAP injection vulnerability through patching as implemented in SuiteCRM versions 7.15.1 and 8.9.3.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify LDAP injection flaws in authentication flows during monitoring activities.

Security SummaryAI

CVE-2026-33289 is an LDAP injection vulnerability in the authentication flow of SuiteCRM, an open-source enterprise-ready Customer Relationship Management (CRM) software application. The flaw affects SuiteCRM versions prior to 7.15.1 and 8.9.3, where the application fails to properly sanitize user-supplied input before embedding it into LDAP search filters, allowing injection of LDAP control characters.

An unauthenticated attacker can exploit this vulnerability by manipulating the LDAP query logic during authentication, potentially achieving authentication bypass or information disclosure. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query).

SuiteCRM versions 7.15.1 and 8.9.3 patch this issue. Additional details are available in the release notes at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599.

Details

CWE(s): CWE-90

Affected Products

suitecrm

≤ 7.15.1 · 8.0.0 — 8.9.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LDAP injection in the authentication flow of the public-facing web application SuiteCRM directly enables exploitation of a public-facing application (T1190) for authentication bypass and information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.suitecrm.com/admin/releases/7.15.x
Release Notes · security-advisories@github.com
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599
Vendor Advisory · security-advisories@github.com