CVE-2026-29099

High

Published: 19 March 2026

Published

19 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 11.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29099 is a high-severity SQL Injection (CWE-89) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other AI Platforms; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the SQL injection vulnerability by requiring timely identification, reporting, and correction of flaws, such as applying SuiteCRM patches in versions 7.15.1 and 8.9.3.

SI-10 Information Input Validation good match

prevent

Prevents SQL injection by enforcing validation of user-controlled inputs like the $id parameter in the retrieve() function before database queries.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Detects the SQL injection vulnerability through regular vulnerability scanning of the SuiteCRM application and hosted environment.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.004 Customer Relationship Management Software Collection

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in network-accessible SuiteCRM web app directly enables remote exploitation (T1190) and arbitrary retrieval of data (incl. creds) from the CRM information repository (T1213.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will…

appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue.

Deeper analysisAI

CVE-2026-29099 is a SQL injection vulnerability in SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) application. The issue resides in the `retrieve()` function within `include/OutboundEmail/OutboundEmail.php`, which fails to properly neutralize the user-controlled `$id` parameter prior to versions 7.15.1 and 8.9.3. Although the function assumes that calling code will sanitize inputs, two paths reachable via the `EmailUIAjax` action in the `Email()` module do not perform this sanitization, enabling injection. This affects the latest major versions 7.15 and 8.9 and is classified under CWE-89 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By manipulating the `$id` parameter, the attacker can inject arbitrary SQL through the `retrieve()` function. Due to the lack of restrictions on accessible tables, exploitation allows retrieval of sensitive database information, including user details and password hashes, potentially enabling further compromise such as privilege escalation or data exfiltration.

Patches addressing this vulnerability are available in SuiteCRM versions 7.15.1 and 8.9.3. Security practitioners should upgrade to these fixed releases immediately. Additional details are provided in the SuiteCRM 7.15.x release documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767.

Details

CWE(s): CWE-89

Affected Products

suitecrm

≤ 7.15.1 · 8.0.0 — 8.9.3

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: function calling

CVEs Like This One

CVE-2026-29096Same product: Suitecrm Suitecrm

CVE-2026-33288Same product: Suitecrm Suitecrm

CVE-2026-29189Same product: Suitecrm Suitecrm

CVE-2026-29102Same product: Suitecrm Suitecrm

CVE-2026-33289Same product: Suitecrm Suitecrm

CVE-2026-29109Same product: Suitecrm Suitecrm

CVE-2026-29103Same product: Suitecrm Suitecrm

CVE-2026-29097Same product: Suitecrm Suitecrm

CVE-2026-29100Same product: Suitecrm Suitecrm

CVE-2026-29101Same product: Suitecrm Suitecrm

References

https://docs.suitecrm.com/admin/releases/7.15.x
Release Notes · security-advisories@github.com
https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767
Vendor Advisory · security-advisories@github.com