CVE-2026-33288
Published: 20 March 2026
Summary
CVE-2026-33288 is a high-severity SQL Injection (CWE-89) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 17.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires sanitization and validation of user-supplied inputs like usernames before use in database queries, preventing SQL injection during authentication.
Ensures timely remediation of identified flaws such as this SQL injection vulnerability through patching to fixed versions 7.15.1 or 8.9.3.
Provides vulnerability scanning to identify SQL injection flaws in SuiteCRM authentication mechanisms for prioritization and remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in authenticated login flow directly allows low-privilege user to execute arbitrary SQL for privilege escalation to admin (impersonation/full control).
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a SQL Injection vulnerability exists in the SuiteCRM authentication mechanisms when directory support is enabled. The application fails to properly sanitize the user-supplied…
more
username before using it in a local database query. An attacker with valid, low-privilege directory credentials can exploit this to execute arbitrary SQL commands, leading to complete privilege escalation (e.g., logging in as the CRM Administrator). Versions 7.15.1 and 8.9.3 patch the issue.
Deeper analysisAI
CVE-2026-33288 is a SQL injection vulnerability in the authentication mechanisms of SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) software application. The flaw affects versions prior to 7.15.1 and 8.9.3, specifically when directory support is enabled. In these versions, the application fails to properly sanitize user-supplied usernames before incorporating them into local database queries, allowing injection of malicious SQL code. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
An attacker requires valid low-privilege directory credentials to exploit this vulnerability remotely over the network with low complexity and no user interaction. By supplying a crafted username during authentication, the attacker can execute arbitrary SQL commands against the database. This enables complete privilege escalation, such as impersonating the CRM Administrator account and gaining full control over the SuiteCRM instance.
SuiteCRM advisories recommend upgrading to version 7.15.1 or 8.9.3, which include patches addressing the SQL injection issue. Additional details are available in the official release notes at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-7g39-m4fg-vrq7.
Details
- CWE(s)