CVE-2026-29096 in SuiteCRM
Summary
by MITRE • 03/20/2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, when creating or editing a report (AOR_Reports module), the `field_function` parameter from POST data is saved directly into the `aor_fields` table without any validation. Later, when the report is executed/viewed, this value is concatenated directly into a SQL SELECT query without sanitization, enabling second-order SQL injection. Any authenticated user with Reports access can extract arbitrary database contents (password hashes, API tokens, config values). On MySQL with FILE privilege, this could lead to RCE via SELECT INTO OUTFILE. Versions 7.15.1 and 8.9.3 patch the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-29096 represents a critical second-order SQL injection flaw within SuiteCRM, a widely deployed open-source customer relationship management platform. This vulnerability affects versions prior to 7.15.1 and 8.9.3, creating a persistent security weakness that allows authenticated users to manipulate database queries through report creation and editing functions. The issue stems from inadequate input validation and sanitization practices within the AOR_Reports module, specifically in how the field_function parameter is processed and stored in the database. The vulnerability manifests when users create or modify reports, as the system accepts user-supplied data without proper validation and subsequently incorporates this unvalidated data directly into SQL execution contexts.
The technical exploitation of this vulnerability occurs through a two-stage process that aligns with the second-order SQL injection pattern. Initially, an attacker submits malicious data through the `field_function` parameter during report creation, which gets stored in the `aor_fields` database table without sanitization. This stored data then becomes part of the SQL query construction when reports are executed or viewed, creating a persistent injection point. The flaw violates fundamental security principles by treating user input as executable code without proper parameterization or sanitization. The vulnerability is particularly dangerous because it requires minimal privileges - only authenticated access to the Reports module - making it accessible to users who should normally have limited database interaction capabilities. This weakness directly maps to CWE-89, which defines SQL injection vulnerabilities, and specifically represents a second-order injection where the malicious input is stored and later executed in a different context.
The operational impact of this vulnerability extends far beyond simple data extraction, as it provides attackers with comprehensive database access capabilities. Authenticated users can leverage this vulnerability to extract sensitive information including password hashes, API tokens, and configuration values that could compromise entire systems. The potential for remote code execution becomes particularly severe when the database server has FILE privileges, as attackers can utilize the SELECT INTO OUTFILE functionality to write malicious payloads to the filesystem and achieve full system compromise. This escalation path demonstrates the vulnerability's alignment with ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, and T1566.001, which involves phishing with malicious attachments. The vulnerability's impact is amplified by SuiteCRM's widespread adoption in enterprise environments, where the extracted credentials and sensitive data could provide attackers with access to critical business information and operational systems.
Mitigation strategies for CVE-2026-29096 require immediate patch deployment to versions 7.15.1 and 8.9.3, which contain the necessary fixes for the input validation and sanitization issues. Organizations should implement comprehensive input validation at multiple layers, including application-level parameter sanitization and database query parameterization to prevent similar vulnerabilities. Security teams must conduct thorough code reviews focusing on user-supplied data handling, particularly in modules that process report generation and database interactions. Network segmentation and privilege separation should be enforced to limit the potential impact of successful exploitation, while monitoring systems should be configured to detect unusual database access patterns that might indicate exploitation attempts. The fix implemented in the patched versions demonstrates proper input validation and sanitization practices that align with secure coding standards, ensuring that user-supplied data cannot be directly incorporated into SQL execution contexts without proper sanitization. Regular security assessments and vulnerability scanning should be conducted to identify and remediate similar second-order injection vulnerabilities across the entire application stack.