CVE-2026-29189
Missing ACL Checks in SuiteCRM REST API Allow Unauthorized Access
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suitecrm | suitecrm | to 7.15.1 (exc) |
| suitecrm | suitecrm | From 8.0.0 (inc) to 8.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29189 is a high-severity vulnerability in SuiteCRM's REST API V8 affecting versions prior to 7.15.1 and 8.9.3. The issue arises from missing Access Control List (ACL) checks on several API endpoints, which allows authenticated users to bypass authorization controls."}, {'type': 'paragraph', 'content': "Specifically, this flaw lets any authenticated user read other users' preferences and settings, and also read, create, or delete relationships between records without proper permissions. This bypasses SecurityGroup-based data isolation and leads to unauthorized access and modification of sensitive data."}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), meaning the system fails to prevent unauthorized access by manipulating key values that identify data.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including unauthorized disclosure and modification of sensitive data within SuiteCRM.'}, {'type': 'list_item', 'content': "An attacker with valid credentials can read other users' preferences and settings, potentially exposing private information."}, {'type': 'list_item', 'content': 'They can also create or delete relationships between records without permission, which can corrupt or manipulate critical business data.'}, {'type': 'paragraph', 'content': 'Because the attack complexity is low and no user interaction is required, the risk of exploitation is significant for any authenticated user.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing Access Control List (ACL) checks on several SuiteCRM REST API V8 endpoints, allowing authenticated users to access or manipulate unauthorized data.
Detection would involve monitoring or testing the REST API endpoints related to user preferences and record relationships for unauthorized access attempts.
Since the vulnerability requires authentication and involves API calls, detection can be performed by reviewing API logs for unusual access patterns or by attempting authorized API requests to endpoints that should be restricted.
Specific commands are not provided in the available resources, but general approaches include:
- Using API testing tools (e.g., curl, Postman) to send authenticated requests to REST API V8 endpoints related to user preferences and record relationships to check if unauthorized data can be accessed or modified.
- Reviewing SuiteCRM REST API access logs for suspicious activity where users access or modify data outside their permission scope.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade SuiteCRM to a patched version where this vulnerability is fixed.
Specifically, upgrade to SuiteCRM version 7.15.1 or later, or 8.9.3 or later, as these versions include patches that address the missing ACL checks in the REST API V8.
Until the upgrade is applied, restrict access to the SuiteCRM REST API to trusted authenticated users and monitor API usage closely to detect any unauthorized access attempts.