What is the CVSS score of EUVD-2026-24199?

EUVD-2026-24199 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.1%.

Which versions of Crafty Controller are affected by EUVD-2026-24199?

CVE-2026-5652 is a critical privilege escalation vulnerability in Crafty Controller that allows authenticated high-privilege administrators to modify other user accounts through improper API…

How to fix or mitigate EUVD-2026-24199?

Within 24 hours: Inventory all Crafty Controller deployments and document current version numbers; restrict API access to Crafty Controller Users API to essential administrators only and enable detailed logging of all user account modification attempts. Within 7 days: Implement network segmentation to limit administrative access to Crafty Controller to specific trusted networks or VPNs; conduct audit of recent user account modifications for unauthorized changes. Within 30 days: Monitor vendor communications for patch availability; evaluate alternative controllers or upgrade path; conduct comprehensive access review of all high-privilege administrative accounts in Crafty Controller.

Crafty Controller EUVD-2026-24199

| CVE-2026-5652 CRITICAL

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-04-21 GitLab

GHSA-8mj7-3xh5-xpj7

Authentication Bypass Crafty Controller

9.0

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.0 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 18:22 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 17:34 vuln.today

EUVD ID Assigned

Apr 21, 2026 - 17:00 euvd

EUVD-2026-24199

Analysis Generated

Apr 21, 2026 - 17:00 vuln.today

CVE Published

Apr 21, 2026 - 16:33 nvd

CRITICAL 9.0

DescriptionCVE.org

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

AnalysisAI

Crafty Controller Users API allows authenticated administrators with high privileges to modify other user accounts due to improper API permission validation. Despite requiring PR:H (high privileges) and authentication, the vulnerability achieves CVSS 9.0 due to scope change, enabling privilege escalation and potential system-wide compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain admin credentials

Delivery

Authenticate to Crafty Controller

Exploit

Craft malicious Users API request

Install

Manipulate user ID parameter

Bypass authorization validation

Execute

Modify unauthorized user accounts

Impact

Escalate privileges or establish persistence

Recon

Obtain admin credentials

Delivery

Authenticate to Crafty Controller

Exploit

Craft malicious Users API request

Install

Manipulate user ID parameter

Bypass authorization validation

Execute

Modify unauthorized user accounts

Impact

Escalate privileges or establish persistence

Vulnerability AssessmentAI

Exploitation	Requires authenticated access with high-privilege administrative credentials (PR:H from CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate-to-high despite the 9.0 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with compromised high-privilege administrative credentials authenticates to the Crafty Controller web interface and directly crafts API requests to the Users API endpoint, manipulating user ID parameters to modify accounts outside their intended scope. By exploiting the missing authorization validation (CWE-639), the attacker escalates their privileges, modifies other administrator accounts, injects backdoor accounts, or alters user permissions to gain persistent access across the Minecraft server management infrastructure.
Remediation	Review the GitLab work item at https://gitlab.com/crafty-controller/crafty-4/-/work_items/705 for vendor-provided fixes and affected version details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Crafty Controller deployments and document current version numbers; restrict API access to Crafty Controller Users API to essential administrators only and enable detailed logging of all user account modification attempts. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-24199 vulnerability details – vuln.today

Back

Crafty Controller EUVD-2026-24199

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code