CVE-2026-29104
Received Received - Intake
Authenticated Arbitrary File Upload in SuiteCRM Configurator Module

Publication date: 2026-03-19

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29104
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
suitecrm suitecrm to 7.15.1 (exc)
suitecrm suitecrm From 8.0.0 (inc) to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SuiteCRM, an open-source Customer Relationship Management software. Before versions 7.15.1 and 8.9.3, an authenticated administrator could exploit a flaw in the Configurator module to upload arbitrary files by bypassing file type restrictions intended for PDF font files.

This means that an attacker with administrator access can upload files with attacker-controlled filenames to the server, potentially breaking security boundaries.

Although the upload directory is not directly accessible via the web by default, this vulnerability could be combined with other weaknesses or specific deployment setups to enable further attacks.

Impact Analysis

The vulnerability allows an authenticated administrator to upload arbitrary files to the server, which can lead to security boundary violations.

While the upload directory is not directly web-accessible by default, this flaw may enable further attacks if combined with other vulnerabilities or certain deployment configurations.

Potential impacts include unauthorized file uploads that could be used to execute malicious code, escalate privileges, or compromise the integrity of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SuiteCRM to version 7.15.1 or 8.9.3 or later, as these versions contain patches that fix the authenticated arbitrary file upload issue in the Configurator module.

Additionally, ensure that only trusted administrators have access to the Configurator module to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart