CVE-2026-38532

| EUVD-2026-22303 HIGH
2026-04-14 mitre GHSA-2xx8-j85v-j7wh
PHP Authentication Bypass
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:00 vuln.today

DescriptionNVD

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

AnalysisAI

Broken Object-Level Authorization in Webkul Krayin CRM v2.2.x allows authenticated attackers to access, modify, and delete contact records belonging to other users without authorization. The vulnerability exists in the PersonController.php endpoint where insufficient access controls permit low-privileged authenticated users to manipulate arbitrary contact objects via crafted GET requests. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all instances of Webkul Krayin CRM v2.2.x in production and document affected systems and user counts. Within 7 days: Implement network segmentation or IP-based access restrictions to limit CRM access to trusted internal networks only, and conduct an audit of contact record access logs for unauthorized modifications. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-38532 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy