CVE-2026-29108 MEDIUM

CVE-2026-29108: Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

Vendor Suitecrm

Product SuiteCRM-Core

Weakness CWE-200 · Info exposure

Published March 19, 2026

Last update March 21, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.

Key dates

02Disclosure timeline

March 19, 2026 CVE published

March 21, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-29108 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2026-29108: Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

01Description

02Disclosure timeline

03References

04Related CVE