{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.714Z", "datePublished": "2026-03-19T23:05:16.814Z", "dateUpdated": "2026-03-20T14:59:32.066Z"}, "containers": {"cna": {"title": "SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv"}, {"name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"], "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"version": "< 7.15.1", "status": "affected"}, {"version": ">= 8.0.0, < 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:05:16.814Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue."}], "source": {"advisory": "GHSA-m6x8-3hxp-qxwv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:59:25.962953Z", "id": "CVE-2026-29189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:59:32.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints", "source": {"advisory": "GHSA-m6x8-3hxp-qxwv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM", "versions": [{"status": "affected", "version": "< 7.15.1"}, {"status": "affected", "version": ">= 8.0.0, < 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv", "name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "name": "https://docs.suitecrm.com/admin/releases/7.15.x", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:05:16.814Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:59:25.962953Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-20T14:59:28.883Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-29189", "state": "PUBLISHED", "dateUpdated": "2026-03-19T23:05:16.814Z", "dateReserved": "2026-03-04T14:44:00.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:05:16.814Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue."}], "id": "CVE-2026-29189", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:16.303", "references": [{"source": "security-advisories@github.com", "url": "https://docs.suitecrm.com/admin/releases/7.15.x"}, {"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.15.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.9.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SuiteCRM", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:23:18.141933+00:00", "value": {"mitigation_remediation": ["Upgrade SuiteCRM to version 7.15.1 or later, or version 8.9.3 or later, which contain the fix for missing ACL checks.", "If an upgrade cannot be performed immediately, limit or block access to the affected API endpoints for non-privileged users and ensure ACL checks are applied manually.", "Verify that user roles have appropriate permissions and audit API access logs for unusual activity."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Data Access/Modification"}, "threat_synthesis": {"affected_systems": "SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected. Users running SuiteCRM 7.x or 8.x installations that have not applied the 7.15.1 / 8.9.3 patches are susceptible.", "description_and_impact": "The vulnerability is an Insecure Direct Object Reference (IDOR) caused by missing ACL checks on several REST API V8 endpoints in SuiteCRM. It allows an authenticated user to read and modify data, such as user preferences and relationships, that they are not authorized to access. This can lead to data exposure or corruption. The weakness aligns with CWE-639: Failure to Verify Permissions Before Performing an Action.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. Since the issue requires only authenticated access and no special privileges, the probability of exploitation is significant for any compromised or legitimate user account. No EPSS data is available, but the vulnerability is not listed in CISA's KEV, suggesting no publicly known exploits yet. An attacker can exploit the flaw by making API requests to the affected endpoints using valid credentials."}}}}, "created": "2026-03-20T08:54:26.305236+00:00", "updated": "2026-03-20T10:43:54.016813+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}