{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38529", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T17:31:13.560Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:18:17.235Z"}, "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:31:09.862808Z", "id": "CVE-2026-38529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:31:13.560Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-38529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T17:31:09.862808Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:30:56.626Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529"}], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:18:17.235Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38529", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:31:13.560Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkul:krayin_crm:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C69541F8-F19B-4119-87E0-C9CC655FF002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request."}], "id": "CVE-2026-38529", "lastModified": "2026-04-23T16:53:45.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T16:16:43.557", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/krayin/laravel-crm"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "laravel-crm", "vendor": "krayin"}], "analysis": {"en": {"generated_at": "2026-04-15T22:27:58.182604+00:00", "value": {"mitigation_remediation": ["Confirm whether your installation runs Webkul Krayin CRM v2.2.x or a prior vulnerable release.", "If a patch or newer non\u2011vulnerable version is available, upgrade immediately.", "If no patch is available, modify /Settings/UserController.php to ensure that the authenticated user\u2019s ID matches the target account\u2019s ID and that the user has appropriate permissions, addressing CWE\u2011269 and preventing manipulation of the user ID via request parameters, addressing CWE\u2011639.", "Alternatively, restrict access to the password reset endpoint to administrators only or block the endpoint until a full fix is applied.", "Actively monitor authentication and password\u2011reset logs for suspicious activity and reset credentials for any accounts that may have been compromised."], "summary": {"action": "Apply Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "Webkul Krayin CRM 2.2.x is the only product noted as affected. No other vendors or product versions are listed.", "description_and_impact": "A broken object\u2011level authorization flaw exists in the /Settings/UserController.php endpoint of Webkul Krayin CRM version 2.2.x. The flaw allows an attacker who has already authenticated to reset the password of any user by sending a crafted HTTP request. The ability to change a user\u2019s password gives the attacker full control of that account, effectively enabling a complete account takeover.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is < 1%, representing a very low but non\u2011zero exploitation probability, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and the delivery of a crafted HTTP request to the exposed endpoint. Given the high severity score and the need for authentication, the risk is substantial for systems that use the vulnerable version."}}}}, "created": "2026-04-14T16:31:37.436495+00:00", "title": "Broken Object-Level Authorization Allows Authenticated Password Reset and Account Takeover", "updated": "2026-04-15T22:30:16.081872+00:00", "vendors": ["krayin", "krayin$PRODUCT$laravel-crm"]}