What is the CVSS score of CVE-2026-29108?

CVE-2026-29108 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Suitecrm are affected by CVE-2026-29108?

Organizations using SuiteCRM should be aware of notable risk from CVE-2026-29108, a information exposure vulnerability rated CVSS 6.5. Sensitive information could be exposed to unauthorized parties.

Suitecrm CVE-2026-29108

MEDIUM

Information Exposure (CWE-200)

2026-03-20 security-advisories@github.com

Information Disclosure Suitecrm

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 20, 2026 - 00:30 vuln.today

CVE Published

Mar 20, 2026 - 00:16 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.

AnalysisAI

SuiteCRM prior to version 8.9.3 contains an authenticated information disclosure vulnerability in an API endpoint that allows any authenticated user to retrieve sensitive user data including password hashes, usernames, and MFA configurations of other users. This enables attackers with valid credentials to enumerate and potentially crack administrative user passwords, escalating privileges within the CRM system. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS score of 6.5 (High) reflects the vulnerability's serious nature with a vector indicating network accessibility (AV:N), low attack complexity (AC:L), and requirement for low-level authentication (PR:L) with high confidentiality impact (C:H) but no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a valid but low-privilege SuiteCRM user account (such as a sales representative with basic CRM access) authenticates to the system and directly queries the vulnerable API endpoint to enumerate all user accounts in the system. The attacker retrieves password hashes and MFA configuration details for administrative users, then uses offline password cracking tools against the hashes to recover plaintext passwords. …
Remediation	Immediately upgrade SuiteCRM to version 8.9.3 or later, which patches the authorization bypass in the affected API endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-29108 vulnerability details – vuln.today

Back

Suitecrm CVE-2026-29108

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code