CVE-2026-29099

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.suitecrm.com/admin/releases/7.15.x	Release Notes
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:suitecrm:suitecrm::::::::
	cpe:2.3:a:suitecrm:suitecrm::::::::

History

No history.

Information

Published : 2026-03-19 23:16

Updated : 2026-03-24 14:45

NVD link : CVE-2026-29099

Mitre link : CVE-2026-29099

CVE.ORG link : CVE-2026-29099

JSON object : View

Products Affected

suitecrm

suitecrm

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-29099", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-19T23:16:41.920", "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, la funci\u00f3n 'retrieve()' en 'include/OutboundEmail/OutboundEmail.php' no neutraliza correctamente el par\u00e1metro '$id' controlado por el usuario. Se asume que la funci\u00f3n que llama a 'retrieve()' citar\u00e1 y sanear\u00e1 adecuadamente la entrada del usuario. Sin embargo, se han identificado dos ubicaciones a las que se puede acceder a trav\u00e9s de la acci\u00f3n 'EmailUIAjax' en el m\u00f3dulo 'Email()' donde este no es el caso. Como tal, es posible que un usuario autenticado realice una inyecci\u00f3n SQL a trav\u00e9s de la funci\u00f3n 'retrieve()'. Esto afecta a las \u00faltimas versiones principales 7.15 y 8.9. Dado que no parece haber restricciones sobre qu\u00e9 tablas pueden ser llamadas, ser\u00eda posible para un atacante recuperar informaci\u00f3n arbitraria de la base de datos, incluyendo informaci\u00f3n de usuario y hashes de contrase\u00f1a. Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "lastModified": "2026-03-24T14:45:01.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99", "versionEndExcluding": "7.15.1"}, {"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF", "versionEndExcluding": "8.9.3", "versionStartIncluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}