CVE-2026-32697 PUBLISHED

SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)

Assigner: GitHub_M
Reserved: 13.03.2026 Published: 19.03.2026 Updated: 19.03.2026

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the RecordHandler::getRecord() method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord() method correctly checks $bean->ACLAccess('save'), but getRecord() skips the equivalent ACLAccess('view') check. Version 8.9.3 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SuiteCRM
Product	SuiteCRM-Core
Versions	Version < 8.9.3 is affected

References

https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE