SuiteCRM Missing ACL Check in Record Retrieval

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

SuiteCRM Missing ACL Check in Record Retrieval

CVE-2026-32697

Summary

Before patching, SuiteCRM's record retrieval feature didn't verify you had permission to view certain records. This could allow unauthorized access to sensitive customer information. You should update to version 8.9.3 or later to fix this issue.

Original title

Original description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, the `RecordHandler::getRecord()` method retrieves any record by module and ID without checking the current user's ACL view permission. The companion `saveRecord()` method correctly checks `$bean->ACLAccess('save')`, but `getRecord()` skips the equivalent `ACLAccess('view')` check. Version 8.9.3 patches the issue.

nvd CVSS3.1 6.5

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-9p9g-224x-6rm...

Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026