CVE-2026-32697
SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
8th
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.
| CWE | CWE-639 |
| Vendor | suitecrm |
| Product | suitecrm-core |
| Published | Mar 19, 2026 |
| Last Updated | Mar 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for suitecrm suitecrm-core
Be the first to know when new medium vulnerabilities affecting suitecrm suitecrm-core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
SuiteCRM / SuiteCRM-Core
< 8.9.3