Skip to main content

DaybydayCRM EUVDEUVD-2026-33747

| CVE-2026-10283 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-01 VulDB GHSA-p22j-x82x-qp9f
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 01, 2026 - 19:36 vuln.today
Analysis Generated
Jun 01, 2026 - 19:36 vuln.today
CVSS changed
Jun 01, 2026 - 19:22 NVD
6.3 (MEDIUM) 5.3 (MEDIUM)

DescriptionCVE.org

A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue.

AnalysisAI

Missing admin-only middleware on DaybydayCRM's SettingsController (updateOverall and updateFirstStep methods) allows any authenticated low-privilege user to modify critical company-wide configurations - including currency, VAT rates, invoice numbering, and business hours - in versions up to 2.2.1. The PR diff confirms the vulnerability is part of a systemic authorization failure across multiple controllers: authenticated users could also delete any resource (clients, tasks, leads, projects) and exploit mass assignment flaws in status update endpoints. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though an upstream patch PR has been submitted.

Technical ContextAI

DaybydayCRM is an open-source PHP/Laravel CRM application (CPE: cpe:2.3:a:bottelet:daybydaycrm:*:*:*:*:*:*:*:*). The root cause is CWE-306 (Missing Authentication for Critical Function): Laravel uses controller-level middleware to enforce access control per action method. The SettingsController applied admin-only middleware only to its index method, leaving updateOverall and updateFirstStep unprotected - any authenticated session could POST directly to these endpoints. The PR diff further reveals that delete operations across UsersController, ClientsController, TasksController, LeadsController, ProjectsController, and OffersController also lacked permission middleware, and that mass assignment protections (replacing $request->all() with $request->only([...])) were absent in status update endpoints. File upload permission checks in DocumentsController had been commented out entirely. This indicates the authorization gap was architectural rather than isolated to the settings handler.

RemediationAI

An upstream fix is available as GitHub Pull Request #363 (https://github.com/Bottelet/DaybydayCRM/pull/363); however, no tagged patched release version has been independently confirmed - the CHANGELOG within the PR marks changes as '[Unreleased] - 2026-04-08', meaning administrators must manually apply the patch from the PR rather than relying on a version bump. After patching, run php artisan db:seed --class=PermissionsTableSeeder to provision the new delete permissions (task-delete, lead-delete, project-delete) required by the updated permission system. As a compensating control before patching, restrict HTTP access to the settings endpoints (/settings/updateOverall, /settings/updateFirstStep) at the reverse proxy or web server layer to admin-only IP ranges - note this may disrupt legitimate admin workflows for administrators on dynamic IPs. Additionally, audit role assignments to minimize the number of accounts with any CRM access until the patch is applied. VulDB advisory is at https://vuldb.com/cve/CVE-2026-10283.

Share

EUVD-2026-33747 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy