High-Severity Access Control and Session Forgery Flaws Patched in SuiteCRM and Auth0 PHP SDK
SuiteCRM disclosed CVE-2026-29189, a high-severity insecure direct object reference (IDOR) flaw in its REST API V8 caused by missing ACL checks on user preferences and relationship endpoints. In versions before 7.15.1 and 8.9.3, authenticated users could access or modify data beyond their assigned permissions, creating high confidentiality and integrity risk in deployments of the open-source CRM platform. The issue is tracked as CWE-639 and carries a CVSS v3.1 rating reflecting low attack complexity and no user interaction requirement.
Auth0 also patched CVE-2026-34236 in the Auth0-PHP SDK, where insufficient entropy in cookie encryption allowed attackers to potentially brute-force encryption keys and forge session cookies. The flaw affects versions 8.0.0 through before 8.19.0 and is classified as CWE-331, with significant confidentiality and integrity impact for applications relying on the SDK for authentication. Auth0 fixed the issue in 8.19.0, while SuiteCRM remediated its API authorization weakness in 7.15.1 and 8.9.3.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-34236 for Auth0-PHP SDK is received and disclosed
The CVE entry for the Auth0-PHP SDK cookie encryption weakness was received by security-advisories@github.com and publicly disclosed. The flaw was assigned CWE-331 and carried significant confidentiality and integrity risk.
Auth0 patches insufficient entropy flaw in auth0-PHP SDK 8.19.0
Auth0 fixed a vulnerability in the auth0-PHP SDK where insufficient entropy in cookie encryption could allow brute-forcing of the encryption key and forged session cookies. The issue affected versions 8.0.0 through before 8.19.0 and was patched in version 8.19.0.
CVE-2026-29189 for SuiteCRM is received and disclosed
The CVE entry for SuiteCRM's REST API V8 IDOR vulnerability was received by security-advisories@github.com. The flaw was classified as CWE-639 and described as having high confidentiality and integrity impact.
SuiteCRM fixes REST API V8 IDOR in versions 7.15.1 and 8.9.3
SuiteCRM addressed a missing access control vulnerability in its REST API V8 that allowed authenticated users to access or manipulate data beyond their permissions via user preferences and relationship endpoints. The issue affected versions before 7.15.1 and 8.9.3.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-34236 - Auth0 PHP SDK Insufficient Entropy in Cookie Encryption
cvefeed.io
Open sourceCVE-2026-29189 - SuiteCRM has a REST API V8 IDOR: Missing ACL Checks on User Preferences and Relationship Endpoints
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple SuiteCRM Vulnerabilities Allowing SQL Injection, Privilege Escalation, and Access Control Bypass
SuiteCRM, an open-source enterprise CRM platform, was found to contain several critical vulnerabilities affecting versions 7.14.7 and prior, as well as 8.0.0-beta.1 through 8.9.0. These flaws include time-based blind SQL injection, authenticated SQL injection in the Reschedule Call module, privilege escalation via improper session invalidation and inactive user bypass, and inconsistent RBAC enforcement that enables access control bypass. Attackers exploiting these vulnerabilities could extract sensitive data, escalate privileges, or gain unauthorized access to restricted modules and data. All issues are addressed in SuiteCRM versions 7.14.8 and 8.9.1. The SQL injection vulnerabilities allow authenticated users to infer or exfiltrate database contents, potentially compromising the confidentiality and integrity of stored information. The privilege escalation flaw permits inactive users with active sessions to reactivate their accounts and maintain unauthorized access, undermining administrative controls. Additionally, inconsistent role-based access control enforcement allows low-privileged users to view and create work items in modules that should be inaccessible. Organizations using affected SuiteCRM versions are strongly advised to upgrade to the latest patched releases to mitigate these risks.
Mar 21, 2026
High-Severity SQL Server RCE and Auth0 Next.js Token Leak Disclosed
A high-severity vulnerability tracked as **`CVE-2026-33120`** was disclosed in Microsoft SQL Server, where an untrusted pointer dereference can allow **remote code execution** by an authenticated attacker with low privileges. The flaw is rated **CVSS 8.8** and can be exploited over the network without user interaction, with potential impact across confidentiality, integrity, and availability. Successful exploitation could lead to **system-level compromise** of the database server, enabling database theft, credential dumping, lateral movement, and possible tenant-isolation escape in shared or multi-tenant deployments. A separate disclosure, **`CVE-2026-40155`**, affects the **Auth0 Next.js SDK** and stems from a race condition in the DPoP proxy fetcher that can expose one user’s session identifiers, access tokens, or API response data to another concurrent authenticated user. The issue is rated **CVSS 5.4** and is considered harder to exploit because it depends on precise timing, DPoP challenges, and concurrent requests reaching the application tier. Its impact is focused on **data confidentiality**, with low integrity impact, no availability impact, a low EPSS score, and no listing in CISA’s Known Exploited Vulnerabilities catalog.
Apr 21, 2026
Multiple Authorization and CSRF Vulnerabilities in Admidio
Several newly disclosed **Admidio** vulnerabilities allow unauthorized or improperly authorized state-changing actions in core modules handling roles, documents, and forums. One flaw in `modules/groups-roles/groups_roles.php` is a **CSRF** issue that can let an attacker trick an authenticated user with `rol_assign_roles` privileges into activating, deactivating, or deleting organizational roles because the server does not properly enforce anti-CSRF validation for some sensitive requests. Additional Admidio issues stem from **missing authorization checks** on destructive actions, allowing operations to proceed after insufficient validation. In the documents module, `modules/documents-files.php` uses read-access checks such as `getFolderForDownload()` and `getFileForDownload()` before executing `folder_delete` and `file_delete`, which can let any user who can view a file or folder delete it; in public-mode configurations, that can extend to **unauthenticated deletion** of public content. In the forum module, `modules/forum.php` validates a CSRF token for `topic_delete` and `post_delete` actions but fails to verify whether the requester is actually authorized to delete the targeted content, enabling arbitrary forum post or topic deletion. A separate disclosure affecting **Campus Educativa** describes an **IDOR** at `/administracion/admin_usuarios.cgi` that exposes enrolled-user data through brute-forced course IDs, but that is a different product and incident and should be treated separately.
Mar 20, 2026