Skip to main content

CRM CVE-2026-38527

| EUVDEUVD-2026-22298 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-14 mitre GHSA-fpx9-9hq8-w2xc
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 16:00 euvd
EUVD-2026-22298
Analysis Generated
Apr 14, 2026 - 16:00 vuln.today
CVE Published
Apr 14, 2026 - 00:00 nvd
HIGH 8.5

DescriptionCVE.org

A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.

AnalysisAI

Server-Side Request Forgery in Webkul Krayin CRM 2.2.x enables authenticated users to scan internal network resources and access sensitive information through the webhook creation endpoint. Attackers with low-privilege accounts can send crafted POST requests to /settings/webhooks/create, forcing the server to make requests to arbitrary internal URLs. With CVSS 8.5 (High) and scope change to other components, this allows reconnaissance of internal infrastructure, access to cloud metadata endpoints, and potential lateral movement. EPSS data not available; no public exploit identified at time of analysis, though technical details are published in security advisory.

Technical ContextAI

Krayin CRM is a Laravel-based customer relationship management platform developed by Webkul. The vulnerability exists in the webhook creation functionality at /settings/webhooks/create, which fails to properly validate or sanitize URL inputs before making server-side HTTP requests. Server-Side Request Forgery (SSRF) vulnerabilities occur when an application accepts user-controlled URLs and makes requests without adequate validation, allowing attackers to abuse the server as a proxy. In this case, the webhook configuration feature-designed to send notifications to external services-can be manipulated to target internal network addresses (RFC 1918 private ranges, localhost, link-local addresses) or cloud metadata endpoints (169.254.169.254 for AWS/Azure/GCP). The scope change (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the vulnerable component's security scope, meaning attackers can reach separate internal systems or services that trust requests from the CRM server.

RemediationAI

Organizations running Krayin CRM 2.2.x should immediately review the security advisory at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527 for vendor guidance and patch availability. No vendor-released patch version is independently confirmed from available data at time of analysis. As interim mitigation, implement network-level controls to restrict outbound connections from the CRM server to only necessary external webhook destinations using allowlist-based firewall rules. Block access to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254). Implement application-level input validation to reject webhook URLs containing private IP addresses, localhost references, or cloud metadata endpoints. Restrict webhook creation functionality to highly trusted administrative users only, reducing the PR:L attack surface. Monitor the official Krayin GitHub repository at https://github.com/krayin/laravel-crm for security patches and upgrade immediately when available.

Share

CVE-2026-38527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy