CVE-2026-38530

| EUVD-2026-22301 HIGH
2026-04-14 mitre GHSA-rm5f-3c25-p4cw
PHP Authentication Bypass
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:01 vuln.today

DescriptionNVD

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

AnalysisAI

Broken Object-Level Authorization in Webkul Krayin CRM 2.2.x allows authenticated attackers to read, modify, and permanently delete leads belonging to other users via crafted GET requests to the LeadController endpoint. This multi-tenant access control failure enables horizontal privilege escalation across customer boundaries. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Webkul Krayin CRM 2.2.x instances in production and development environments; disable or restrict external API access to LeadController endpoints via WAF or network segmentation. Within 7 days: Implement object-level access control validation at the application layer requiring verified ownership checks on all lead requests; conduct access logs review for unauthorized lead access patterns. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-38530 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy