CVE-2026-29098
Received Received - Intake
Path Traversal in SuiteCRM ModuleBuilder Allows Arbitrary File Exposure

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29098
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SuiteCRM versions prior to 7.15.1 and 8.9.3 in the ModuleBuilder module. The function action_exportCustom does not properly neutralize path traversal sequences in the parameters $modules and $name. These parameters are then used to construct file paths for reading and writing in the exportCustom function. As a result, a user with access to the ModuleBuilder module, typically an administrator, can craft a request that copies the contents of any readable directory on the host system into the web root, making those files accessible via the web.

This means an attacker can potentially expose sensitive system files such as those in /etc or the root directory of the web server, including secrets and environment variables.

Impact Analysis

The vulnerability allows an attacker with ModuleBuilder access to copy any readable directory from the server into the web root, exposing sensitive files to unauthorized users.

  • Exposure of system files such as configuration files, environment variables, and secrets.
  • Potential leakage of sensitive information that could be used for further attacks.
  • Compromise of confidentiality due to unauthorized file disclosure.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade SuiteCRM to version 7.15.1 or later if you are using the 7.x branch, or to version 8.9.3 or later if you are using the 8.x branch.

Restrict access to the ModuleBuilder module to only trusted administrators, as exploitation requires access to this module.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart