{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38530", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T17:28:56.838Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:18:58.382Z"}, "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:28:44.645761Z", "id": "CVE-2026-38530", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:28:56.838Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-38530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T17:28:44.645761Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:28:28.408Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"}], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:18:58.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38530", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:28:56.838Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkul:krayin_crm:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C69541F8-F19B-4119-87E0-C9CC655FF002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request."}], "id": "CVE-2026-38530", "lastModified": "2026-04-23T16:53:19.123", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T16:16:43.697", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/krayin/laravel-crm"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,2.3.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "laravel-crm", "vendor": "krayin"}], "analysis": {"en": {"generated_at": "2026-04-14T16:25:05.833435+00:00", "value": {"mitigation_remediation": ["Update Webkul Krayin CRM to the latest release that removes the object\u2011level authorization flaw.", "If an update is not immediately available, restrict access to the Lead CRUD endpoints and implement server\u2011side checks to confirm that a lead belongs to the authenticated user before allowing read, modify, or delete operations.", "Monitor application logs for unexpected GET requests to the LeadController endpoint and investigate any anomalies.", "Follow vendor advisories and apply any interim security measures they recommend until a patch is released."], "summary": {"action": "Patch Immediately", "impact": "Unauthorized Lead Data Access and Deletion"}, "threat_synthesis": {"affected_systems": "Webkul Krayin CRM version 2.2.x is affected. The vendor is Webkul and the product is Krayin CRM. No other product or version information is supplied.", "description_and_impact": "A broken object\u2011level authorization flaw in the LeadController of Webkul Krayin CRM permits an authenticated attacker to supply a crafted GET request that reveals, modifies, or permanently deletes any lead owned by another user. The vulnerability compromises confidentiality by allowing unauthorized read access, integrity through unauthorized modifications, and availability through permanent removal of lead records, affecting all three security categories.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. EPSS is not available and the issue does not appear in the CISA KEV catalog. The description indicates that the attack requires authentication, so an attacker must log in before exploiting the flaw. The attack can be carried out by sending a specially constructed GET request to the vulnerable endpoint. Given the high impact and the need for authentication, the risk is substantial for systems where many users have access to the application."}}}}, "created": "2026-04-14T16:31:36.456425+00:00", "title": "Broken Object\u2011Level Authorization in Webkul Krayin CRM Exposes Lead Data", "updated": "2026-04-15T21:03:06.802951+00:00", "vendors": ["krayin", "krayin$PRODUCT$laravel-crm"], "weaknesses": ["CWE-284", "CWE-639"]}