CVE-2026-29189

EPSS 0.32%
Veröffentlicht 19.03.2026 23:05:16
Zuletzt bearbeitet 23.03.2026 16:46:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allowing authenticated users to access and manipulate data they should not have permission to interact with. Versions 7.15.1 and 8.9.3 patch the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Suitecrm ≫ Suite CRM Version < 7.15.1

Suitecrm ≫ Suite CRM Version >= 8.0.0 < 8.9.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.236

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://docs.suitecrm.com/admin/releases/7.15.x

Release Notes

https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-29189

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-29189

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-29189

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-29189