Skip to main content

Suitecrm CVE-2026-29189

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-20 security-advisories@github.com
Authentication Bypass Suitecrm
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 00:30 vuln.today
CVE Published
Mar 20, 2026 - 00:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.

AnalysisAI

A critical access control vulnerability exists in the SuiteCRM REST API V8 where multiple endpoints lack proper ACL (Access Control List) validation, enabling authenticated users to access and modify data beyond their authorized permissions. This affects SuiteCRM versions prior to 7.15.1 and 8.9.3, allowing privilege escalation within the CRM system where low-privileged users can potentially access sensitive customer data, modify records, or perform administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege SuiteCRM account
Exploit
Send REST API V8 request to unprotected endpoint
Execution
Bypass missing ACL validation checks
Impact
Access/modify restricted data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authenticated user account required on SuiteCRM versions 7.15.0 and earlier or 8.9.2 and earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.1 reflects high confidentiality and integrity impacts with network-based attack vector requiring low privileges and no user interaction (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with basic authenticated access to the SuiteCRM system could exploit the missing ACL checks by crafting API requests to endpoints that should be restricted, potentially accessing confidential customer records, financial data, or modifying critical business information belonging to other users or departments. Given the network-based attack vector and low complexity, this could be automated to exfiltrate large amounts of data or perform mass modifications across the CRM database. …
Remediation Immediately upgrade SuiteCRM to version 7.15.1 or later for 7.x deployments, or to version 8.9.3 or later for 8.x deployments, as these versions contain the security patches addressing the missing ACL checks. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all SuiteCRM deployments and versions; audit API access logs for suspicious activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-29189 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy