CVE-2026-29108

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 00:16

Updated : 2026-03-23 16:49

NVD link : CVE-2026-29108

Mitre link : CVE-2026-29108

CVE.ORG link : CVE-2026-29108

JSON object : View

Products Affected

suitecrm

suitecrm

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-29108", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T00:16:15.983", "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Antes de las versiones 8.9.3, un endpoint de API autenticado permite a cualquier usuario recuperar informaci\u00f3n detallada sobre cualquier otro usuario, incluyendo su hash de contrase\u00f1a, nombre de usuario y configuraci\u00f3n de MFA. Dado que cualquier usuario autenticado puede consultar este endpoint, es posible recuperar y potencialmente descifrar las contrase\u00f1as de los usuarios administrativos. La versi\u00f3n 8.9.3 corrige el problema."}], "lastModified": "2026-03-23T16:49:25.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD824E64-58E0-472C-84CB-6729B4B791DF", "versionEndExcluding": "8.9.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}