CVE-2026-29096
Published: 19 March 2026
Summary
CVE-2026-29096 is a high-severity SQL Injection (CWE-89) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of validation on the `field_function` parameter, preventing malicious SQL payloads from being stored and later executed.
Requires timely identification, reporting, and patching of the specific SQL injection flaw in SuiteCRM versions prior to 7.15.1 and 8.9.3.
Enables scanning for SQL injection vulnerabilities like CVE-2026-29096 in the AOR_Reports module to identify and prioritize remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Second-order SQLi in web app directly enables T1190 (exploit public-facing SuiteCRM for initial access), T1213.006 (arbitrary DB data exfil including creds/tokens), and T1505.003 (RCE via SELECT INTO OUTFILE to deploy web shell).
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any…
more
validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.
Deeper analysisAI
CVE-2026-29096 is a second-order SQL injection vulnerability in SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) software application. The issue affects versions prior to 7.15.1 and 8.9.3, specifically in the AOR_Reports module. When creating or editing a report, the `field_function` parameter from POST data is saved directly into the `aor_fields` table without validation. Subsequently, when the report is executed or viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling the injection.
Any authenticated user with access to the Reports module can exploit this vulnerability. By injecting malicious SQL payloads into the `field_function` parameter during report creation or editing, attackers can extract arbitrary database contents, including password hashes, API tokens, and configuration values. On MySQL instances where the database user has FILE privileges, attackers could achieve remote code execution via SELECT INTO OUTFILE. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-89.
SuiteCRM versions 7.15.1 and 8.9.3 address the vulnerability by patching the validation and sanitization issues in the AOR_Reports module. Security practitioners should upgrade to these versions immediately. Additional details are available in the SuiteCRM 7.15.x release documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m.
Details
- CWE(s)