CVE-2026-29189 - Vulnerability Details

- SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.

Published: 2026-03-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SuiteCRM’s REST API V8 suffers from missing ACL checks on several endpoints, which enables authenticated users to read or modify data that should be restricted to other users. This flaw fulfills the criterion of a typical IDOR vulnerability and is mapped to CWE‑639, signifying a privilege escalation risk. The consequence is that an attacker can expose confidential information or alter records, potentially compromising customer data and undermining business integrity.

Affected Systems

All SuiteCRM installations running versions earlier than 7.15.1 or 8.9.3 are affected. The vulnerability has been confirmed on the SuiteCRM product across all supported database backends and does not rely on a specific module, meaning any deployment that relies on the V8 REST API is at risk until it is upgraded.

Risk and Exploitability

The CVSS base score is 8.1, indicating a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is not widespread at this time, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation is straightforward for legitimate users who have legitimate login credentials; the attacker simply issues REST requests to the vulnerable endpoints. The lack of server‑side authorization checks makes the attack reliable in the presence of valid authentication credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SuiteCRM

affected

Version	Status	Constraints
`< 7.15.1`	affected	—
`>= 8.0.0, < 8.9.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:suitecrm:suitecrm::::::::
	cpe:2.3:a:suitecrm:suitecrm::::::::

No data.

Vendor Product Confidence Versions

Suitecrm

100%

Version	Status	Scheme	Platform
`[0,7.15.1)`	affected	semver	—
`[8.0.0,8.9.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SuiteCRM to version 7.15.1 or later, or 8.9.3 or later, which includes the missing ACL fix.
Verify that the REST API V8 endpoints are protected by ACL after the upgrade.
If an upgrade cannot be performed immediately, restrict the REST API access for users with the same privileges as the affected endpoints.

Generated by OpenCVE AI on March 23, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://docs.suitecrm.com/admin/releases/7.15.x
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv

History

Mon, 23 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:suitecrm:suitecrm::::::::

Fri, 20 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 20 Mar 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Suitecrm Suitecrm suitecrm
Vendors & Products		Suitecrm Suitecrm suitecrm

Thu, 19 Mar 2026 23:30:00 +0000

Type	Values Removed	Values Added
Description		SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.
Title		SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
Weaknesses		CWE-639
References		https://docs.suitecrm.com/admin/releases/7.15.x https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Suitecrm Suitecrm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-19T23:05:16.814Z

Updated: 2026-03-20T14:59:32.066Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29189

Vulnrichment

Updated: 2026-03-20T14:59:28.883Z

NVD

Status : Analyzed

Published: 2026-03-20T00:16:16.303

Modified: 2026-03-23T16:46:51.237

Link: CVE-2026-29189

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T11:54:05Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object