Cyber Posture

CVE-2026-33289

High

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33289 is a high-severity LDAP Injection (CWE-90) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of user-supplied input before embedding into LDAP search filters, directly preventing LDAP injection for authentication bypass or disclosure.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like this LDAP injection vulnerability through patching as implemented in SuiteCRM versions 7.15.1 and 8.9.3.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables vulnerability scanning to identify LDAP injection flaws in authentication flows during monitoring activities.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

LDAP injection in the authentication flow of the public-facing web application SuiteCRM directly enables exploitation of a public-facing application (T1190) for authentication bypass and information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the…

more

LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.

Deeper analysisAI

CVE-2026-33289 is an LDAP injection vulnerability in the authentication flow of SuiteCRM, an open-source enterprise-ready Customer Relationship Management (CRM) software application. The flaw affects SuiteCRM versions prior to 7.15.1 and 8.9.3, where the application fails to properly sanitize user-supplied input before embedding it into LDAP search filters, allowing injection of LDAP control characters.

An unauthenticated attacker can exploit this vulnerability by manipulating the LDAP query logic during authentication, potentially achieving authentication bypass or information disclosure. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query).

SuiteCRM versions 7.15.1 and 8.9.3 patch this issue. Additional details are available in the release notes at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599.

Details

CWE(s)
CWE-90

Affected Products

suitecrm
suitecrm
≤ 7.15.1 · 8.0.0 — 8.9.3

CVEs Like This One

CVE-2026-29102Same product: Suitecrm Suitecrm
CVE-2026-29109Same product: Suitecrm Suitecrm
CVE-2026-29103Same product: Suitecrm Suitecrm
CVE-2026-29097Same product: Suitecrm Suitecrm
CVE-2026-29189Same product: Suitecrm Suitecrm
CVE-2026-29096Same product: Suitecrm Suitecrm
CVE-2026-29100Same product: Suitecrm Suitecrm
CVE-2026-29101Same product: Suitecrm Suitecrm
CVE-2026-29099Same product: Suitecrm Suitecrm
CVE-2026-33288Same product: Suitecrm Suitecrm

References