{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29108", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-19T23:10:59.651Z", "dateUpdated": "2026-03-21T03:06:59.568Z"}, "containers": {"cna": {"title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM-Core", "versions": [{"version": "< 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:10:59.651Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}], "source": {"advisory": "GHSA-xc8w-xc9v-45w5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:06:37.852701Z", "id": "CVE-2026-29108", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:06:59.568Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29108", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:06:37.852701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:06:54.589Z"}}], "cna": {"title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User", "source": {"advisory": "GHSA-xc8w-xc9v-45w5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM-Core", "versions": [{"status": "affected", "version": "< 8.9.3"}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:10:59.651Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29108", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:06:59.568Z", "dateReserved": "2026-03-03T21:54:06.709Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T23:10:59.651Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD824E64-58E0-472C-84CB-6729B4B791DF", "versionEndExcluding": "8.9.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicaci\u00f3n de software de Gesti\u00f3n de Relaciones con Clientes (CRM) de c\u00f3digo abierto y lista para empresas. Antes de las versiones 8.9.3, un endpoint de API autenticado permite a cualquier usuario recuperar informaci\u00f3n detallada sobre cualquier otro usuario, incluyendo su hash de contrase\u00f1a, nombre de usuario y configuraci\u00f3n de MFA. Dado que cualquier usuario autenticado puede consultar este endpoint, es posible recuperar y potencialmente descifrar las contrase\u00f1as de los usuarios administrativos. La versi\u00f3n 8.9.3 corrige el problema."}], "id": "CVE-2026-29108", "lastModified": "2026-03-23T16:49:25.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.983", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.9.3)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "SuiteCRM-Core", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-23T18:54:04.989722+00:00", "value": {"mitigation_remediation": ["Upgrade suiteCRM to version 8.9.3 or later to patch the vulnerable API endpoint", "If an immediate upgrade is not possible, restrict API access to privileged roles and audit user permissions regularly", "Verify that backup and monitoring solutions are in place to detect unauthorized activity or anomalous API usage"], "summary": {"action": "Apply Patch", "impact": "Unauthorized access to user password hashes"}, "threat_synthesis": {"affected_systems": "All instances of suiteCRM Core running versions earlier than 8.9.3 are affected. The vulnerability originates from the default API response configuration and does not require any additional configuration changes. Updating to 8.9.3 or later eliminates the exposed endpoint and restores proper access controls.", "description_and_impact": "A suiteCRM API endpoint that accepts authenticated requests mistakenly returns comprehensive user data, including password hashes, usernames, and MFA settings. This flaw constitutes an information disclosure weakness (CWE\u2011200) and permits an attacker who has valid login credentials to harvest password hashes for any user, including administrative accounts. If an attacker replays a hashed value or conducts offline cracking, they can potentially obtain plaintext passwords and elevate privileges within the system.", "risk_and_exploitability": "The CVSS base score of 6.5 reflects a medium severity vulnerability, and the EPSS probability of exploitation is under 1 %, indicating that attacks are currently uncommon. Because the flaw relies on an authenticated session, an adversary needs only valid user credentials or social\u2011engineering access to the application. Once authenticated, the attacker can query the vulnerable endpoint over any network channel that permits API traffic. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation to date."}}}}, "created": "2026-03-20T08:54:22.874806+00:00", "updated": "2026-03-25T11:54:02.135444+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}