Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue.
AnalysisAI
Missing admin-only middleware on DaybydayCRM's SettingsController (updateOverall and updateFirstStep methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.
Technical ContextAI
DaybydayCRM is an open-source PHP/Laravel CRM application (CPE: cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*). The root cause is CWE-306 (Missing Authentication for Critical Function): Laravel uses controller-level middleware to enforce access control per action method. The SettingsController applied admin-only middleware only to its index method, leaving updateOverall and updateFirstStep unprotected - any authenticated session could POST directly to these endpoints. The PR diff further reveals that delete operations across UsersController, ClientsController, TasksController, LeadsController, ProjectsController, and OffersController also lacked permission middleware, and that mass assignment protections (replacing $request->all() with $request->only([...])) were absent in status update endpoints. File upload permission checks in DocumentsController had been commented out entirely. This indicates the authorization gap was architectural rather than isolated to the settings handler.
RemediationAI
An upstream fix is available as GitHub Pull Request #363 (https://github.com/Bottelet/DaybydayCRM/pull/363); however, no tagged patched release version has been independently confirmed - the CHANGELOG within the PR marks changes as '[Unreleased] - 2026-04-08', meaning administrators must manually apply the patch from the PR rather than relying on a version bump. After patching, run php artisan db:seed --class=PermissionsTableSeeder to provision the new delete permissions (task-delete, lead-delete, project-delete) required by the updated permission system. As a compensating control before patching, restrict HTTP access to the settings endpoints (/settings/updateOverall, /settings/updateFirstStep) at the reverse proxy or web server layer to admin-only IP ranges - note this may disrupt legitimate admin workflows for administrators on dynamic IPs. Additionally, audit role assignments to minimize the number of accounts with any CRM access until the patch is applied. VulDB advisory is at https://vuldb.com/cve/CVE-2026-10283.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33747
GHSA-p22j-x82x-qp9f