Main Vulnerability Database Vulnerabilities #VU127394

Improper access control in SuiteCRM - CVE-2025-64490

Published: April 24, 2026

Vulnerability identifier: #VU127394

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-64490

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SalesAgility

Affected software:
SuiteCRM

Detailed vulnerability description

The vulnerability allows a remote user to bypass access controls and view and create restricted work items.

The vulnerability exists due to improper access control in the Resource Calendar, project screens, and cross-module role enforcement when handling requests to restricted modules and views. A remote user can access Resource Calendar and project functionality to bypass access controls and view and create restricted work items.

The issue affects modules and views that were explicitly set to disabled or none in role management.

How to mitigate CVE-2025-64490

Install security update from vendor's website.

Sources

https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-jh8v-wqgj-hhc2

Improper access control in SuiteCRM - CVE-2025-64490

Detailed vulnerability description

How to mitigate CVE-2025-64490

Sources

Please verify you're human