Main Vulnerability Database Vulnerabilities #VU127399

LDAP injection in SuiteCRM - CVE-2026-33289

Published: April 24, 2026

Vulnerability identifier: #VU127399

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33289

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SalesAgility

Affected software:
SuiteCRM

Detailed vulnerability description

The vulnerability allows a remote user to bypass authentication or disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the authentication flow when processing user-supplied input in an LDAP search filter. A remote user can inject LDAP control characters to bypass authentication or disclose sensitive information.

How to mitigate CVE-2026-33289

Install security update from vendor's website.

Sources

https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599
https://github.com/advisories/GHSA-26vx-rj47-x599

LDAP injection in SuiteCRM - CVE-2026-33289

Detailed vulnerability description

How to mitigate CVE-2026-33289

Sources

Please verify you're human