CVE-2026-29108
Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
8th
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As any authenticated user can query this endpoint, it's possible to retrieve and potentially crack the passwords of administrative users. Version 8.9.3 patches the issue.
| CWE | CWE-200 |
| Vendor | suitecrm |
| Product | suitecrm-core |
| Published | Mar 19, 2026 |
| Last Updated | Mar 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for suitecrm suitecrm-core
Be the first to know when new medium vulnerabilities affecting suitecrm suitecrm-core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
SuiteCRM / SuiteCRM-Core
< 8.9.3