CVE-2026-32697 in SuiteCRM
Summary
by MITRE • 03/20/2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32697 affects SuiteCRM versions prior to 8.9.3, representing a critical access control flaw that undermines the application's security model. This issue stems from an inconsistent implementation of Access Control List (ACL) validation within the application's core record handling mechanisms. The vulnerability specifically impacts the RecordHandler::getRecord() method which serves as a fundamental component for retrieving customer data across various modules within the CRM system. The flaw allows unauthorized users to bypass the intended permission controls and access records they should not be permitted to view, creating a significant data exposure risk.
The technical implementation of this vulnerability demonstrates a clear deviation from established security practices and standards. The RecordHandler::getRecord() method fails to perform the necessary ACLAccess('view') validation that should occur before returning any record data to a user. While the saveRecord() method correctly implements ACLAccess('save') checks to prevent unauthorized modifications, the getRecord() method omits the corresponding view permission verification. This inconsistency creates a scenario where users can retrieve sensitive customer information, leads, opportunities, or other business data without proper authorization, effectively creating a read-only privilege escalation path. The vulnerability is classified under CWE-284 Access Control Bypass, which specifically addresses situations where improper access control mechanisms allow unauthorized access to resources.
The operational impact of this vulnerability extends beyond simple data exposure, potentially enabling sophisticated attacks that leverage the retrieved information for further exploitation. An attacker with limited privileges could systematically enumerate records across different modules, building a comprehensive view of the organization's customer base and business operations. This reconnaissance capability significantly increases the risk of targeted attacks, data breaches, and competitive intelligence gathering. The vulnerability affects the confidentiality aspect of the CIA triad, as unauthorized access to sensitive business data could lead to financial losses, regulatory violations, and damage to business relationships. Organizations using SuiteCRM versions prior to 8.9.3 face potential compliance violations under data protection regulations such as GDPR, HIPAA, or other industry-specific standards that mandate proper access controls and data protection measures.
Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, particularly under the T1078 Valid Accounts and T1566 Phishing tactics, as it enables attackers to gain access to sensitive data that could be used for social engineering attacks or to craft more convincing phishing campaigns. The vulnerability also aligns with T1046 Network Service Scanning and T1082 System Information Discovery, as attackers could use the privilege escalation to gather detailed information about the organization's systems and data structures. Organizations should implement immediate mitigations including updating to SuiteCRM version 8.9.3 or later, which patches the ACL validation issue by ensuring that getRecord() properly checks view permissions. Additionally, organizations should review their existing access control policies, implement proper monitoring for unauthorized data access attempts, and conduct security assessments to identify any potential exploitation that may have already occurred. The patch addresses the core technical flaw by implementing proper ACLAccess('view') checks in the getRecord() method, ensuring that all record retrieval operations respect the user's permission levels and maintain the integrity of the application's security model.