CVE-2026-29101
Published: 19 March 2026
Summary
CVE-2026-29101 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 4.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through applying SuiteCRM patches in versions 7.15.1 and 8.9.3 directly eliminates this specific DoS vulnerability in modules.
Denial-of-service protection directly limits the effects of this high-privilege network-accessible DoS attack on SuiteCRM availability.
Information input validation prevents relative path traversal (CWE-23) exploits that enable this DoS condition in SuiteCRM modules.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a network-reachable application vulnerability (path traversal leading to resource exhaustion) that a high-privileged attacker can directly exploit to crash or deny service to the SuiteCRM instance, mapping exactly to T1499.004 Application or System Exploitation.
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, a Denial-of-Service (DoS) vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue.
Deeper analysisAI
CVE-2026-29101 is a Denial-of-Service (DoS) vulnerability (CWE-23) affecting SuiteCRM, an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The issue resides in SuiteCRM modules and impacts versions prior to 7.15.1 and 8.9.3. It has a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H), indicating medium severity primarily due to high availability impact with no confidentiality or integrity effects.
An attacker with high privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation results in a DoS condition, disrupting service availability for the affected SuiteCRM instance without compromising data confidentiality or integrity.
SuiteCRM versions 7.15.1 and 8.9.3 address the vulnerability with patches. Additional details are available in the SuiteCRM 7.15.x release documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-24pf-9cvh-ppcg.
Details
- CWE(s)