CVE-2026-29104 in SuiteCRM
Summary
by MITRE • 03/20/2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, SuiteCRM contains an authenticated arbitrary file upload vulnerability in the Configurator module. An authenticated administrator can bypass intended file type restrictions when uploading PDF font files, allowing arbitrary files with attacker‑controlled filenames to be written to the server. Although the upload directory is not directly web‑accessible by default, this behavior breaks security boundaries and may enable further attacks when combined with other vulnerabilities or in certain deployment configurations. Versions 7.15.1 and 8.9.3 patch the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-29104 affects SuiteCRM versions prior to 7.15.1 and 8.9.3, representing a critical authenticated arbitrary file upload flaw within the Configurator module. This security weakness stems from insufficient validation of file types during the upload process, specifically when handling PDF font files. The vulnerability allows authenticated administrators to circumvent intended file type restrictions, enabling them to upload arbitrary files with attacker-controlled filenames to the server. The flaw operates through a bypass mechanism that permits malicious file uploads despite the system's attempt to restrict file types to legitimate PDF font formats.
The technical implementation of this vulnerability involves the Configurator module's inadequate input validation and sanitization processes. When administrators upload files through this module, the system fails to properly verify the actual file content against the declared file type, creating a path for attackers to exploit. The vulnerability specifically targets the PDF font file upload functionality where the application's validation logic can be bypassed, allowing files with extensions such as php, asp, or other executable formats to be uploaded and subsequently executed on the server. This represents a classic case of insecure file upload handling that aligns with CWE-434, which describes the improper restriction of uploads to a restricted directory.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it fundamentally breaches the security boundaries that protect the application's server environment. While the upload directory is not directly web-accessible by default, the vulnerability's exploitation can lead to more severe consequences when combined with other security weaknesses or in specific deployment configurations. An attacker who gains administrative access could leverage this vulnerability to execute arbitrary code on the server, potentially leading to full system compromise, data exfiltration, or establishment of persistent backdoors. The attack vector requires authentication as an administrator, but once achieved, it provides a direct path to server-side code execution that can be leveraged for further reconnaissance and lateral movement within the network.
Security implications of this vulnerability align with ATT&CK technique T1505.003, which covers "Server Software Component" attacks involving the exploitation of application vulnerabilities for code execution. The vulnerability creates opportunities for privilege escalation and persistent access, particularly when combined with other exploitation techniques or when administrators use weak credentials. Organizations deploying SuiteCRM must consider the broader security context, as this vulnerability can be particularly dangerous in environments where administrators have access to multiple systems or where the application is deployed with less restrictive security configurations. The patching process for versions 7.15.1 and 8.9.3 addresses the core validation logic that was allowing the bypass, ensuring that file uploads are properly validated against both file extensions and content types to prevent the execution of malicious payloads. This remediation follows industry best practices for file upload validation and aligns with security frameworks emphasizing defense in depth and principle of least privilege.