CVE-2026-29099
Received Received - Intake
SQL Injection in SuiteCRM OutboundEmail Module Allows Data Exposure

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29099
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in SuiteCRM versions prior to 7.15.1 and 8.9.3, specifically in the `retrieve()` function located in `include/OutboundEmail/OutboundEmail.php`. The function fails to properly neutralize the user-controlled `$id` parameter, assuming that the calling function will sanitize the input. However, two locations accessible via the `EmailUIAjax` action on the `Email()` module do not perform this sanitization, allowing an authenticated user to perform SQL injection through the `retrieve()` function.

Because there appear to be no restrictions on which database tables can be queried, an attacker could retrieve arbitrary information from the database, including sensitive data such as user information and password hashes.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized access to sensitive data stored in the SuiteCRM database. An attacker exploiting this SQL injection flaw could retrieve confidential information such as user details and password hashes.

The vulnerability has a high severity score (CVSS 3.1 Base Score 8.8) indicating that it can lead to significant confidentiality, integrity, and availability impacts.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade SuiteCRM to versions 7.15.1 or 8.9.3 or later, as these versions include patches that fix the SQL injection issue in the retrieve() function.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart