CVE-2026-29108
Received Received - Intake
Information Disclosure via Authenticated API in SuiteCRM Before

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29108
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
suitecrm suitecrm to 8.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29108 is a moderate severity vulnerability in SuiteCRM versions up to 8.9.2. It involves an authenticated API endpoint (/api/users) that allows any authenticated user to retrieve detailed information about any other user. This information includes sensitive data such as password hashes, usernames, and multi-factor authentication (MFA) configurations.

Because any authenticated user can access this endpoint, an attacker with low privileges can obtain password hashes of administrative users and potentially crack them. The vulnerability is classified as an exposure of sensitive information to an unauthorized actor (CWE-200).

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability impacts the confidentiality of user data within SuiteCRM. An attacker who exploits this flaw can retrieve sensitive information such as password hashes and MFA configurations of other users, including administrators.'}, {'type': 'paragraph', 'content': "If an attacker successfully cracks administrative users' passwords, they could gain unauthorized access to the system with elevated privileges, potentially leading to further compromise."}, {'type': 'paragraph', 'content': 'The vulnerability does not affect the integrity or availability of the system but poses a significant risk to user credential security.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the SuiteCRM instance is running a vulnerable version (prior to 8.9.3) and by testing access to the authenticated API endpoint /api/users.'}, {'type': 'paragraph', 'content': 'You can attempt to authenticate as a low-privileged user and send a request to the /api/users endpoint to see if detailed user information, including password hashes, is returned.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the endpoint (replace <token> with a valid authentication token):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<suitecrm-host>/api/users'}, {'type': 'paragraph', 'content': 'If the response contains detailed user information such as password hashes and MFA configurations, the system is vulnerable.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade SuiteCRM to version 8.9.3 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the /api/users endpoint to only trusted users or roles, if possible.

Additionally, monitor API access logs for unusual or unauthorized requests to the /api/users endpoint.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart