CVE-2026-29108

MEDIUM

Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

Title source: cna

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.

References (1)

[X_Refsource_Confirm] https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 3.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

suitecrm/suitecrm < 8.9.3

SuiteCRM/SuiteCRM-Core < 8.9.3

Published Mar 20, 2026

Tracked Since Mar 20, 2026