Main Vulnerability Database Vulnerabilities #VU127400

Authorization bypass through user-controlled key in SuiteCRM - CVE-2026-29189

Published: April 24, 2026

Vulnerability identifier: #VU127400

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29189

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SalesAgility

Affected software:
SuiteCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify protected relationships.

The vulnerability exists due to improper access control in REST API V8 user preferences and relationship endpoints when handling crafted API requests. A remote user can send crafted requests using user-controlled record identifiers to disclose sensitive information and modify protected relationships.

The issue can bypass SecurityGroup-based data isolation.

How to mitigate CVE-2026-29189

Install security update from vendor's website.

Authorization bypass through user-controlled key in SuiteCRM - CVE-2026-29189

Detailed vulnerability description

How to mitigate CVE-2026-29189

Sources

Please verify you're human