SuiteCRM, an open-source CRM platform, contains a vulnerability identified as CVE-2026-29108 (CWE-200) affecting versions prior to 8.9.3. The flaw resides in an authenticated API endpoint that improperly exposes detailed user information to any authenticated user. Specifically, this endpoint allows retrieval of password hashes, usernames, and multi-factor authentication (MFA) configuration details of any user in the system. Since any authenticated user can query this endpoint, an attacker with a low-privilege account can harvest sensitive data about higher-privilege users, including administrators. The exposure of password hashes enables offline brute-force or dictionary attacks to recover plaintext passwords, potentially leading to privilege escalation and unauthorized access. MFA configuration exposure may assist attackers in bypassing or targeting multi-factor protections. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity with high confidentiality impact but no integrity or availability impact. The attack vector is network-based with low attack complexity and requires privileges equivalent to any authenticated user, but no user interaction. The vulnerability was publicly disclosed on March 19, 2026, and fixed in SuiteCRM version 8.9.3. No known exploits are reported in the wild as of now.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive user information, including password hashes and MFA configurations. This exposure can lead to offline password cracking attacks, potentially compromising administrative and other privileged accounts. Once administrative credentials are compromised, attackers can manipulate CRM data, exfiltrate sensitive customer and business information, disrupt business operations, or use the CRM as a foothold for further network intrusion. Organizations relying on SuiteCRM for customer relationship management risk data breaches, loss of customer trust, and regulatory penalties, especially if customer data is involved. The vulnerability affects confidentiality but does not directly impact data integrity or system availability. However, the resulting compromise from credential theft can have broader security consequences. Since the vulnerability requires only authenticated access, any user account compromise or insider threat can be leveraged to exploit this flaw, increasing the risk in environments with many users or weak account controls.

Organizations should immediately upgrade SuiteCRM-Core to version 8.9.3 or later, where this vulnerability is patched. Until upgrading, restrict access to the API endpoint by implementing strict access controls and monitoring API usage for unusual queries or data access patterns. Enforce strong password policies and use robust MFA mechanisms to reduce the risk of password cracking success. Regularly audit user accounts and remove or disable unnecessary accounts to minimize the attack surface. Implement network segmentation and least privilege principles to limit authenticated user capabilities. Monitor logs for suspicious activity related to user data access. Consider additional application-layer protections such as Web Application Firewalls (WAFs) to detect and block abnormal API requests. Educate users about the importance of account security and promptly investigate any signs of credential compromise.