VYPR
Unrated severityNVD Advisory· Published Nov 8, 2025· Updated Nov 13, 2025

SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass

CVE-2025-64490

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even when the related modules (Projects, Project Tasks, Tasks, Leads, Accounts, Meetings, Calls) are explicitly set to Disabled/None in Role Management. This indicates inconsistent ACL/RBAC enforcement across modules and views, resulting in unauthorized data exposure and modification. This issue is fixed in versions 7.14.8 and 8.9.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Suitecrm/Suitecrmllm-fuzzy2 versions
    <= 7.14.7, 8.0.0-beta.1 - 8.9.0+ 1 more
    • (no CPE)range: <= 7.14.7, 8.0.0-beta.1 - 8.9.0
    • (no CPE)range: < 7.14.8

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.