CVE-2026-29108
Information Disclosure via Authenticated API in SuiteCRM Before
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suitecrm | suitecrm | to 8.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29108 is a moderate severity vulnerability in SuiteCRM versions up to 8.9.2. It involves an authenticated API endpoint (/api/users) that allows any authenticated user to retrieve detailed information about any other user. This information includes sensitive data such as password hashes, usernames, and multi-factor authentication (MFA) configurations.
Because any authenticated user can access this endpoint, an attacker with low privileges can obtain password hashes of administrative users and potentially crack them. The vulnerability is classified as an exposure of sensitive information to an unauthorized actor (CWE-200).
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability impacts the confidentiality of user data within SuiteCRM. An attacker who exploits this flaw can retrieve sensitive information such as password hashes and MFA configurations of other users, including administrators.'}, {'type': 'paragraph', 'content': "If an attacker successfully cracks administrative users' passwords, they could gain unauthorized access to the system with elevated privileges, potentially leading to further compromise."}, {'type': 'paragraph', 'content': 'The vulnerability does not affect the integrity or availability of the system but poses a significant risk to user credential security.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the SuiteCRM instance is running a vulnerable version (prior to 8.9.3) and by testing access to the authenticated API endpoint /api/users.'}, {'type': 'paragraph', 'content': 'You can attempt to authenticate as a low-privileged user and send a request to the /api/users endpoint to see if detailed user information, including password hashes, is returned.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the endpoint (replace <token> with a valid authentication token):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<suitecrm-host>/api/users'}, {'type': 'paragraph', 'content': 'If the response contains detailed user information such as password hashes and MFA configurations, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade SuiteCRM to version 8.9.3 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the /api/users endpoint to only trusted users or roles, if possible.
Additionally, monitor API access logs for unusual or unauthorized requests to the /api/users endpoint.