What is the CVSS score of CVE-2026-32697?

CVE-2026-32697 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Suitecrm are affected by CVE-2026-32697?

Organizations using SuiteCRM should be aware of notable risk from CVE-2026-32697, a IDOR vulnerability rated CVSS 6.5. Exploitation could compromise the security of affected deployments.

Suitecrm CVE-2026-32697

MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-03-20 security-advisories@github.com

Authentication Bypass Suitecrm

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 00:30 vuln.today

CVE Published

Mar 20, 2026 - 00:16 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the RecordHandler::getRecord() method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord() method correctly checks $bean->ACLAccess('save'), but getRecord() skips the equivalent ACLAccess('view') check. Version 8.9.3 patches the issue.

AnalysisAI

SuiteCRM versions prior to 8.9.3 contain an access control bypass in the RecordHandler::getRecord() method that allows authenticated users to retrieve any record from the system without proper ACL view permission checks. An attacker with valid credentials can enumerate and read sensitive customer data, financial records, or other confidential information across all modules by directly calling the vulnerable method. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates this is a network-accessible vulnerability requiring only low privileges (authenticated user) with low attack complexity and high confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An employee with standard CRM user access (PR:L requirement) makes direct API calls or uses a custom script to invoke RecordHandler::getRecord() with sequential record IDs across high-value modules such as Accounts or Opportunities, bypassing the missing view permission checks. Within minutes, the attacker can extract detailed customer contact information, deal amounts, financial data, and other sensitive business records without triggering typical audit alerts since the records technically belong to accessible modules—the attack simply circumvents the per-record permission layer. …
Remediation	Immediately upgrade SuiteCRM to version 8.9.3 or later, which includes the ACL permission check fix in the RecordHandler::getRecord() method. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-32697 vulnerability details – vuln.today

Back

Suitecrm CVE-2026-32697

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code