Cyber Resilience

CVE-2026-29099

High

Published: 19 March 2026

Published
19 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 17.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29099 is a high-severity SQL Injection (CWE-89) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29099 is a SQL injection vulnerability in SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) application. The issue resides in the `retrieve()` function within `include/OutboundEmail/OutboundEmail.php`, which fails to properly neutralize the user-controlled `$id` parameter prior to versions 7.15.1 and 8.9.3. Although the function assumes that calling code will sanitize inputs, two paths reachable via the `EmailUIAjax` action in the `Email()` module do not perform this sanitization, enabling injection. This affects the latest major versions 7.15 and 8.9 and is classified under CWE-89 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the `$id` parameter, the attacker can inject arbitrary SQL through the `retrieve()` function. Due to the lack of restrictions on accessible tables, exploitation allows retrieval of sensitive database information, including user details and password hashes, potentially enabling further compromise such as privilege escalation or data exfiltration.

Patches addressing this vulnerability are available in SuiteCRM versions 7.15.1 and 8.9.3. Security practitioners should upgrade to these fixed releases immediately. Additional details are provided in the SuiteCRM 7.15.x release documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will…

more

appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: function calling

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.004 Customer Relationship Management Software Collection
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Why these techniques?

SQL injection in network-accessible SuiteCRM web app directly enables remote exploitation (T1190) and arbitrary retrieval of data (incl. creds) from the CRM information repository (T1213.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29096Same product: Suitecrm Suitecrm
CVE-2026-33288Same product: Suitecrm Suitecrm
CVE-2026-29189Same product: Suitecrm Suitecrm
CVE-2026-33289Same product: Suitecrm Suitecrm
CVE-2026-29102Same product: Suitecrm Suitecrm
CVE-2026-29109Same product: Suitecrm Suitecrm
CVE-2026-29103Same product: Suitecrm Suitecrm
CVE-2026-29097Same product: Suitecrm Suitecrm
CVE-2026-29100Same product: Suitecrm Suitecrm
CVE-2026-29101Same product: Suitecrm Suitecrm

Affected Assets

suitecrm
suitecrm
≤ 7.15.1 · 8.0.0 — 8.9.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SQL injection vulnerability by requiring timely identification, reporting, and correction of flaws, such as applying SuiteCRM patches in versions 7.15.1 and 8.9.3.

prevent

Prevents SQL injection by enforcing validation of user-controlled inputs like the $id parameter in the retrieve() function before database queries.

detect

Detects the SQL injection vulnerability through regular vulnerability scanning of the SuiteCRM application and hosted environment.

References