LDAP
CVE-2026-33289
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.
AnalysisAI
An LDAP injection vulnerability in SuiteCRM's authentication flow allows attackers to manipulate LDAP queries by injecting control characters into user-supplied input, potentially leading to authentication bypass or information disclosure. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, which are open-source CRM systems widely deployed in enterprise environments. While no active exploitation has been reported (not in CISA KEV), the network-exploitable nature and potential for authentication bypass makes this a serious concern for organizations using affected versions.
Technical ContextAI
The vulnerability stems from improper input sanitization in SuiteCRM's LDAP authentication module, where user-supplied credentials are directly embedded into LDAP search filters without adequate escaping of special characters. This is a classic example of CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query), where metacharacters like parentheses, asterisks, and backslashes can alter the intended query structure. When SuiteCRM constructs LDAP queries for authentication, attackers can inject these control characters to modify the query logic, potentially matching unintended user entries or extracting sensitive directory information through blind injection techniques.
RemediationAI
Immediately upgrade SuiteCRM to version 7.15.1 or later for the 7.x branch, or to version 8.9.3 or later for the 8.x branch, as these versions contain the necessary patches to prevent LDAP injection attacks. Until patching is complete, consider temporarily disabling LDAP authentication if feasible, implementing additional input validation at the application firewall level to filter LDAP metacharacters, and monitoring authentication logs for suspicious patterns that might indicate injection attempts. Full remediation details and upgrade procedures are available in the vendor's security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today