Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.
Published: 2026-03-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from the retrieve() function in SuiteCRM’s OutboundEmail module not correctly sanitizing the $id parameter. An authenticated user can trigger this function via the EmailUIAjax action on the Email module, enabling blind SQL injection. This flaw permits extraction of arbitrary data from the database, including sensitive user credentials and password hashes, and is classified under CWE-89.

Affected Systems

SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected. Specifically, the 7.15.x and 8.9.x major releases contain the vulnerable retrieve() implementation. Users running these versions should verify their build and update to the patched releases.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS is below 1%, suggesting a low probability of immediate exploitation, and the vulnerability is not listed in the CISA KEV catalog. Although the attack requires an authenticated session and involves a blind SQL injection path through EmailUIAjax, the lack of restrictions on database tables means an attacker could read a wide range of data. The combination of high impact and high severity makes it a priority to remediate.

Generated by OpenCVE AI on March 24, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch available in SuiteCRM 7.15.1 or 8.9.3 to remove the vulnerable retrieve() function.
  • If an upgrade is delayed, restrict database permissions for the web application to a minimum required set and isolate the EmailUIAjax endpoint from unauthenticated access.

Generated by OpenCVE AI on March 24, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Suitecrm
Suitecrm suitecrm
Vendors & Products Suitecrm
Suitecrm suitecrm

Thu, 19 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.
Title SuiteCRM has Authenticated Blind SQL Injection in OutboundEmail Legacy Functionality.
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Suitecrm Suitecrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:59:47.571Z

Reserved: 2026-03-03T21:54:06.708Z

Link: CVE-2026-29099

cve-icon Vulnrichment

Updated: 2026-03-25T14:59:39.486Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:41.920

Modified: 2026-03-24T14:45:01.150

Link: CVE-2026-29099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:18Z

Weaknesses