SB2026042405 - Multiple vulnerabilities in SuiteCRM

Security Bulletin ID SB2026042405

Severity

Medium

Patch available

YES

Number of vulnerabilities 14

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-33288)

The vulnerability allows a remote user to execute arbitrary SQL commands and escalate privileges.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the authentication module when processing a user-supplied username in a local database query. A remote user can supply a crafted username to execute arbitrary SQL commands and escalate privileges.

Exploitation requires valid low-privilege directory credentials and directory support to be enabled.

2) LDAP injection (CVE-ID: CVE-2026-33289)

The vulnerability allows a remote user to bypass authentication or disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the authentication flow when processing user-supplied input in an LDAP search filter. A remote user can inject LDAP control characters to bypass authentication or disclose sensitive information.

3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-29189)

The vulnerability allows a remote user to disclose sensitive information and modify protected relationships.

The vulnerability exists due to improper access control in REST API V8 user preferences and relationship endpoints when handling crafted API requests. A remote user can send crafted requests using user-controlled record identifiers to disclose sensitive information and modify protected relationships.

The issue can bypass SecurityGroup-based data isolation.

4) SQL injection (CVE-ID: CVE-2026-29096)

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to SQL injection in the AOR_Reports module report fields handling when processing the field_function parameter during report creation or editing and later executing the report. A remote user can submit a specially crafted field_function value to disclose sensitive information and modify data.

The issue is second-order because the malicious value is stored in the aor_fields table and triggered when the report is executed or viewed.

5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-29097)

The vulnerability allows a remote user to perform server-side request forgery and cause a denial of service.

The vulnerability exists due to server-side request forgery in the RSS Feed Dashlet component when handling RSS feed requests. A remote user can send a crafted request to perform server-side request forgery and cause a denial of service.

6) Relative Path Traversal (CVE-ID: CVE-2026-29098)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to relative path traversal in the action_exportCustom function in modules/ModuleBuilder/controller.php and the exportCustom function in modules/ModuleBuilder/MB/MBPackage.php when handling the $modules and $name parameters. A remote privileged user can send a specially crafted request to disclose sensitive information.

The issue can copy the contents of readable directories into the web root, potentially exposing files such as /etc contents, secrets, and environment variables.

7) SQL injection (CVE-ID: CVE-2026-29099)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to SQL injection in the retrieve() function in include/OutboundEmail/OutboundEmail.php when handling the user-controlled $id parameter through the EmailUIAjax action in the Email module. A remote user can send a specially crafted request to disclose sensitive information.

Arbitrary database tables may be queried, including data such as user information and password hashes.

8) Cross-site scripting (CVE-ID: CVE-2026-29100)

The vulnerability allows a remote attacker to inject arbitrary HTML content.

The vulnerability exists due to improper neutralization of input during web page generation in the login page when processing the default_user_name parameter. A remote attacker can supply a crafted parameter value to inject arbitrary HTML content.

User interaction is required to load the crafted login page, which may enable phishing attacks or page defacement.

9) Relative Path Traversal (CVE-ID: CVE-2026-29101)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to relative path traversal in modules when handling network requests. A remote privileged user can send a specially crafted request to cause a denial of service.

10) Code Injection (CVE-ID: CVE-2026-29102)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in SuiteCRM modules when handling module input. A remote privileged user can inject arbitrary PHP code or operating system commands to execute arbitrary code.

11) Code Injection (CVE-ID: CVE-2026-29103)

The vulnerability allows a remote user to execute arbitrary system commands.

The vulnerability exists due to improper control of code generation in ModuleScanner.php when scanning module loader packages. A remote privileged user can upload a specially crafted package to execute arbitrary system commands.

The issue is a patch bypass of CVE-2024-49774 caused by incorrect PHP token parsing that resets the internal state when single-character tokens are encountered, allowing dangerous function calls to evade module loader package security checks.

12) Open redirect (CVE-ID: CVE-2026-29105)

The vulnerability allows a remote attacker to redirect users to arbitrary external websites.

The vulnerability exists due to url redirection to an untrusted site in the Leads WebToLead capture functionality when processing a user-supplied POST parameter as a redirect destination. A remote attacker can supply a crafted POST parameter to redirect users to arbitrary external websites.

User interaction is required for a victim to follow the malicious redirect.

13) Arbitrary file upload (CVE-ID: CVE-2026-29104)

The vulnerability allows a remote user to upload arbitrary files.

The vulnerability exists due to unrestricted upload of file with dangerous type in the Configurator addfontresult view when uploading PDF font files. A remote privileged user can upload a file with an attacker-controlled filename to upload arbitrary files.

The upload directory is not directly web-accessible by default, but the issue breaks security boundaries and may enable further attacks in certain deployment configurations or when combined with other vulnerabilities.

14) Cross-site scripting (CVE-ID: CVE-2026-29106)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the return_id parameter when handling requests that copy the parameter value into an HTML event handler attribute. A remote privileged user can send a specially crafted request to execute arbitrary script in a victim's browser.

User interaction is required for the victim to load the malicious content.

Remediation

Install update from vendor's website.

SB2026042405 - Multiple vulnerabilities in SuiteCRM

Breakdown by Severity

Description

Remediation

References

Please verify you're human