Primary

Context

SuiteCRM Record Handler ACL Bypass Vulnerability Allowing Unauthorized Record Access

Vulnerability

A vulnerability exists in SuiteCRM versions through 8.9.2 in the `RecordHandler::getRecord()` method, which retrieves records by module and ID without verifying the user's ACL view permission. This oversight allows any authenticated user to access records across all modules, bypassing SuiteCRM's ACL system for read operations. The `saveRecord()` method, in contrast, properly checks save permissions. The vulnerability can be exploited via the REST API or GraphQL queries.

Impact

Exploitation of this vulnerability allows any authenticated user to read any record from any module, bypassing the application's access control mechanisms for read operations.

Remediation

Users can upgrade to SuiteCRM version 8.9.3 or later to address this vulnerability.

Added: Mar 20, 2026, 12:25 AM

Updated: Mar 20, 2026, 12:25 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SuiteCRM Record Handler ACL Bypass Vulnerability Allowing Unauthorized Record Access

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating