{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29108", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.709Z", "datePublished": "2026-03-19T23:10:59.651Z", "dateUpdated": "2026-03-19T23:10:59.651Z"}, "containers": {"cna": {"title": "Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"}], "affected": [{"vendor": "SuiteCRM", "product": "SuiteCRM-Core", "versions": [{"version": "< 8.9.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T23:10:59.651Z"}, "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}], "source": {"advisory": "GHSA-xc8w-xc9v-45w5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}], "id": "CVE-2026-29108", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:15.983", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.9.3)"}}], "enrichment": {"confidence": 87.0, "confidence_source": "matching", "scores": [{"score": 87.0, "source": "matching"}]}, "original": {"product": "SuiteCRM-Core", "source": "cna", "vendor": "SuiteCRM"}, "product": "suitecrm", "vendor": "suitecrm"}], "analysis": {"en": {"generated_at": "2026-03-20T00:22:10.697020+00:00", "value": {"mitigation_remediation": ["Apply SuiteCRM 8.9.3 or later to patch the vulnerability", "Verify all SuiteCRM installations are upgraded to the patched version", "Consider disabling or restricting the vulnerable API endpoint if it is not required for business operations"], "summary": {"action": "Apply Patch", "impact": "Unauthorized disclosure of password hashes"}, "threat_synthesis": {"affected_systems": "All installations of SuiteCRM Core running a version earlier than 8.9.3 are affected. The official patch was released in version 8.9.3. No specific sub\u2011product or module is mentioned beyond the core SuiteCRM application.", "description_and_impact": "SuiteCRM versions prior to 8.9.3 expose an authenticated API endpoint that allows any logged\u2011in user to retrieve sensitive information about other users, including their password hashes, usernames, and MFA configuration. The vulnerability permits an attacker with valid credentials to view the password hash of any user, potentially enabling credential cracking, especially for administrative accounts. This weakness falls under CWE-200, indicating an information\u2011disclosure vulnerability.", "risk_and_exploitability": "The CVSS score for this issue is 6.5, indicating a moderate level of severity. As no EPSS value is available, the exploit probability cannot be quantified from the provided data. The vulnerability is not listed in the CISA KEV catalog. Because the attack vector requires authentication, an adversary must have valid credentials to exploit it; however, once authenticated, they can trivially retrieve and potentially crack password hashes for higher\u2011privilege users."}}}}, "created": "2026-03-20T08:54:22.874806+00:00", "updated": "2026-03-20T10:43:50.285143+00:00", "vendors": ["suitecrm", "suitecrm$PRODUCT$suitecrm"]}