CVE-2026-29098 in SuiteCRM
Summary
by MITRE • 03/20/2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the `action_exportCustom` function in `modules/ModuleBuilder/controller.php` fails to properly neutralize path traversal sequences in the `$modules` and `$name` parameters. Both parameters later reach the `exportCustom` function in `modules/ModuleBuilder/MB/MBPackage.php` where they are both utilized in constructing s paths for file reading and writing. As such, it is possible for a user with access to the ModuleBuilder module, generally an administrator, to craft a request that can copy the content of any readable directory on the underlying host into the web root, making them readable. As the `ModuleBuilder` module is part of both major versions 7 and 8, both current major versions are affected. This vulnerability allows an attacker to copy any readable directory into the web root. This includes system files like the content of `/etc, or the root directory of the web server, potentially exposing secrets and environment variables. Versions 7.15.1 and 8.9.3 patch the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-29098 affects SuiteCRM, a widely-used open-source Customer Relationship Management platform that serves enterprise clients. This security flaw resides within the ModuleBuilder module's controller component, specifically in the `action_exportCustom` function located at `modules/ModuleBuilder/controller.php`. The issue represents a classic path traversal vulnerability that stems from inadequate input sanitization and validation within the application's file handling mechanisms. The vulnerability affects both major versions 7 and 8 of SuiteCRM, making it particularly concerning given the software's widespread adoption in enterprise environments where sensitive customer data and business-critical information are managed.
The technical flaw manifests when the `$modules` and `$name` parameters passed to the `action_exportCustom` function are not properly neutralized against path traversal sequences such as `../` or similar directory traversal patterns. These unvalidated parameters subsequently flow into the `exportCustom` function within `modules/ModuleBuilder/MB/MBPackage.php` where they are directly incorporated into file path construction operations for both reading and writing activities. This improper parameter handling creates a condition where maliciously crafted input can manipulate the file system operations to access directories beyond the intended scope. According to CWE-22 standards for path traversal vulnerabilities, this flaw allows attackers to manipulate file access controls and potentially gain unauthorized access to sensitive system resources. The vulnerability operates at the intersection of multiple ATT&CK techniques including T1059.001 (Command and Scripting Interpreter) and T1566.001 (Phishing) as attackers could potentially leverage this to exfiltrate sensitive information from the underlying host system.
The operational impact of this vulnerability is severe and multifaceted, particularly for organizations running affected SuiteCRM versions. An attacker with access to the ModuleBuilder module, which is typically restricted to administrators, can exploit this weakness to copy any readable directory content into the web root directory, making these files accessible through web requests. This capability extends beyond simple file enumeration to potentially exposing critical system information including configuration files, database credentials, environment variables, and other sensitive data stored within directories such as `/etc` or the web server root. The vulnerability's exploitation requires only administrative access to the ModuleBuilder module, which is often already available to privileged users within enterprise environments, making the attack surface relatively accessible. The impact is particularly damaging because it can lead to complete system compromise through information disclosure, potentially exposing secrets that could be used for further attacks within the network infrastructure. Organizations running versions 7.15.0 and earlier or 8.9.2 and earlier are at significant risk, as these vulnerable versions have been widely deployed across enterprise environments where the software serves as a critical business application.
The remediation for this vulnerability involves upgrading to SuiteCRM versions 7.15.1 or 8.9.3, which contain the necessary patches to address the path traversal issue. The fix implemented in these versions properly neutralizes path traversal sequences in the affected parameters before they are processed by the file system operations. Security administrators should prioritize this upgrade as a critical patch, particularly given the vulnerability's potential for information disclosure and the relatively low barrier to exploitation. Organizations should also conduct thorough security assessments to ensure that no unauthorized access to the ModuleBuilder module exists, as this vulnerability requires administrative privileges to exploit effectively. Additionally, implementing proper input validation and parameter sanitization practices, as recommended by OWASP Top 10 and NIST guidelines, can help prevent similar vulnerabilities in other applications within the organization's infrastructure. The patch demonstrates the importance of proper parameter validation and input sanitization in web applications, particularly when dealing with file system operations and user-supplied data that could influence system behavior.