CVE-2026-29097 in SuiteCRM
Summary
by MITRE • 03/20/2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions prior to 7.15.1 and 8.9.3 contain a Server-Side Request Forgery (SSRF) vulnerability combined with a Denial of Service (DoS) condition in the RSS Feed Dashlet component. Versions 7.15.1 and 8.9.3 patch the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-29097 affects SuiteCRM, a widely-used open-source customer relationship management platform that serves enterprise organizations. This security flaw exists within the RSS Feed Dashlet component, which allows users to display external RSS feeds on their CRM dashboards. The vulnerability represents a critical security risk that combines two distinct but related attack vectors. The Server-Side Request Forgery vulnerability (CWE-918) enables attackers to manipulate the application into making unintended requests to internal or external systems, while simultaneously creating a Denial of Service condition that can disrupt normal application functionality. This dual nature makes the vulnerability particularly dangerous as it can be exploited for both reconnaissance and service disruption purposes.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the RSS Feed Dashlet functionality. Attackers can craft malicious URLs that, when processed by the application, cause the server to make unintended HTTP requests to arbitrary destinations. This flaw occurs because the application fails to properly validate and restrict the URLs that can be fetched, allowing an attacker to specify internal network addresses or external malicious endpoints. The vulnerability affects both version 7.x and 8.x branches of SuiteCRM, with the specific patched versions being 7.15.1 and 8.9.3 respectively. The SSRF aspect of this vulnerability aligns with ATT&CK technique T1190, which describes the use of server-side request forgery to bypass access controls and access internal resources. The DoS component manifests through the potential for excessive resource consumption or connection exhaustion, which can be categorized under ATT&CK technique T1499 for network denial of service.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with the capability to perform internal network reconnaissance and potentially access sensitive internal systems. An attacker could leverage the SSRF functionality to probe internal network services, bypass firewalls, or access systems that would normally be restricted from external access. The DoS component creates additional operational concerns, as it can render the affected CRM dashboards unavailable to legitimate users, potentially disrupting business operations and customer service workflows. Organizations using SuiteCRM versions prior to the patched releases face significant risk, as the vulnerability can be exploited without requiring authentication, making it particularly dangerous in environments where the application is exposed to untrusted networks. The combination of these attack vectors means that successful exploitation can result in both information disclosure and service disruption, potentially leading to complete system compromise.
Organizations should prioritize immediate remediation by upgrading to SuiteCRM versions 7.15.1 or 8.9.3, which contain the necessary patches for both the SSRF and DoS conditions. Additionally, network segmentation and firewall rules should be implemented to restrict access to internal systems from the CRM application where possible. Security monitoring should be enhanced to detect unusual patterns in external requests originating from the CRM server, as these could indicate exploitation attempts. The vulnerability demonstrates the importance of validating and sanitizing all user-supplied input, particularly in components that interact with external resources, aligning with CWE principles for preventing injection flaws and ensuring proper access control mechanisms are in place. Organizations should also consider implementing web application firewalls and additional monitoring controls to detect and prevent exploitation attempts targeting similar vulnerabilities in other components of their CRM infrastructure.