CVE-2026-29189
Published: 20 March 2026
Summary
CVE-2026-29189 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Suitecrm Suitecrm. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE's core issue of missing ACL checks by requiring enforcement of approved authorizations for logical access to information and system resources in API endpoints.
Mitigates the authorization bypass flaw through timely identification, reporting, and correction of the software vulnerability, as fixed in SuiteCRM versions 7.15.1 and 8.9.3.
Limits the impact of unauthorized data access and manipulation by ensuring low-privileged authenticated users only have access necessary for their assigned tasks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing SuiteCRM REST API directly enables exploitation of the web app (T1190), unauthorized collection from CRM data repositories (T1213.004), and stored data tampering (T1565.001).
NVD Description
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data…
more
they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.
Deeper analysisAI
CVE-2026-29189 affects SuiteCRM, an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions prior to 7.15.1 and 8.9.3, the SuiteCRM REST API V8 lacks Access Control List (ACL) checks on several endpoints. This authorization bypass vulnerability, classified as CWE-639, enables authenticated users to access and manipulate data beyond their permitted scope. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A low-privileged authenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting requests to the affected API endpoints, the attacker gains unauthorized read and write access to sensitive CRM data, such as customer records or other restricted information, potentially leading to significant data exposure and tampering.
SuiteCRM versions 7.15.1 and 8.9.3 address the issue with patches that restore proper ACL enforcement. Security practitioners are advised to upgrade immediately. Further details on the fix and release notes are provided in the official documentation at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv.
Details
- CWE(s)