Primary

Context

SuiteCRM SQL Injection Vulnerability in Authentication Module Allowing Privilege Escalation

Vulnerability

A SQL injection vulnerability has been identified in SuiteCRM authentication mechanisms, specifically in versions prior to 7.15.1 and 8.9.3, when directory support is enabled. The vulnerability arises because the application does not properly sanitize user-supplied usernames before incorporating them into local database queries. This flaw allows an attacker with valid, low-privilege directory credentials to execute arbitrary SQL commands, potentially leading to complete privilege escalation, such as gaining access as the CRM Administrator.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential for privilege escalation to the CRM Administrator role.

Remediation

Users can upgrade to SuiteCRM versions 7.15.1 or 8.9.3 to address this vulnerability.

Added: Mar 20, 2026, 12:19 AM

Updated: Mar 20, 2026, 12:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

5.2

remediation

0.0

relevance

4.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SuiteCRM SQL Injection Vulnerability in Authentication Module Allowing Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating