{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32697", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.822Z", "datePublished": "2026-03-19T23:13:08.280Z", "dateUpdated": "2026-03-20T20:04:17.239Z"}, "containers": {"cna": {"title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM-Core", "versions": [{"version": "< 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:13:08.280Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue."}], "source": {"advisory": "GHSA-9p9g-224x-6rmm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:04:08.531655Z", "id": "CVE-2026-32697", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:04:17.239Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32697", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:04:08.531655Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:04:13.383Z"}}], "cna": {"title": "SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)", "source": {"advisory": "GHSA-9p9g-224x-6rmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM-Core", "versions": [{"status": "affected", "version": "< 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm", "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:13:08.280Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32697", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:04:17.239Z", "dateReserved": "2026-03-13T14:33:42.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:13:08.280Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue."}], "id": "CVE-2026-32697", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:16.600", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.9.3)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 87.0, "source": "matching"}]}, "original": {"product": "SuiteCRM-Core", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:21:02.446368+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version\u202f8.9.3 or later."], "summary": {"action": "Patch", "impact": "Unauthorized data disclosure"}, "threat_synthesis": {"affected_systems": "SuiteCRM Core is affected. All instances running a version earlier than 8.9.3 are vulnerable. The issue was fixed in version 8.9.3; any deployment using older releases should upgrade.", "description_and_impact": "RecordHandler::getRecord() retrieves records without checking the ACL view permission. Because the method bypasses the ACL check, any authenticated user can read any record in SuiteCRM. This flaw is an insecure direct object reference (IDOR) that can expose sensitive customer data. The vulnerability is classified as CWE\u2011639 (Authorization Bypass Through User\u2011Controlled Key).", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a valid authenticated session; once authenticated, the attacker can request any record ID and retrieve its data through RecordHandler::getRecord. Because the flaw allows broad data disclosure within the authenticated scope, the risk of significant information leakage is high even though no remote code execution is involved."}}}}, "created": "2026-03-20T08:54:20.330011+00:00", "updated": "2026-03-20T10:43:47.589002+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}