CVE-2026-29109
Published: 20 March 2026
Summary
CVE-2026-29109 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the unsafe deserialization vulnerability by requiring timely patching to SuiteCRM version 8.9.3 or later, which fixes the unserialize() call in FilterDefinitionProvider.php.
Validates user-controlled serialized data from the saved_search.contents database column before deserialization to block malicious payloads leading to arbitrary command execution.
Enforces least privilege to restrict administrator accounts capable of crafting and storing exploitable data in saved searches, reducing the privileged attack surface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in the public-facing SuiteCRM web app (FilterDefinitionProvider.php) is directly exploitable over the network by an authenticated admin to achieve arbitrary system command execution (RCE) on the server.
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the…
more
server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.
Deeper analysisAI
CVE-2026-29109 is an unsafe deserialization vulnerability (CWE-502) affecting SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) software application. The issue resides in the SavedSearch filter processing component, specifically in FilterDefinitionProvider.php, which calls the unserialize() function on user-controlled data stored in the saved_search.contents database column without restricting instantiable classes. This flaw impacts all versions up to and including 8.9.2 and has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated administrator can exploit this vulnerability by crafting malicious data in the saved_search.contents field, leading to arbitrary system command execution on the affected server during deserialization. The attack requires high privileges (PR:H) but no user interaction (UI:N) and can be performed over the network (AV:N) with low complexity (AC:L), potentially resulting in high confidentiality, integrity, and availability impacts (C:I:A:H).
The official advisory from SuiteCRM, available at https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24, confirms that version 8.9.3 addresses the vulnerability by patching the unsafe deserialization logic in the SavedSearch component. Security practitioners should upgrade to SuiteCRM 8.9.3 or later and review access controls for administrator accounts to mitigate risks.
Details
- CWE(s)