What is CVE-2026-29189?

CVE-2026-29189 is a high-severity vulnerability in Suitecrm, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.1/10. Published 2026-03-19.

How severe is CVE-2026-29189?

High severity. CVSS v3 base score is 8.1 out of 10.

Auth bypass in Suitecrm

CVE-2026-29189

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL (Access Control List) checks on several endpoints, allow…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (3.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Suitecrm — versions < 7.15.1, >= 8.0.0, < 8.9.3

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-m6x8-3hxp-qxwv (x_refsource_CONFIRM)
https://docs.suitecrm.com/admin/releases/7.15.x (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-29189?: CVE-2026-29189 is a high-severity vulnerability in Suitecrm, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 8.1/10. Published 2026-03-19.
How severe is CVE-2026-29189?: High severity. CVSS v3 base score is 8.1 out of 10.