{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-38532", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T17:27:56.674Z", "dateReserved": "2026-04-06T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:20:17.155Z"}, "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-639", "lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:27:53.425762Z", "id": "CVE-2026-38532", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:27:56.674Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-38532", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T17:27:53.425762Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:27:30.200Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/krayin/laravel-crm"}, {"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"}], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T15:20:17.155Z"}}}, "cveMetadata": {"cveId": "CVE-2026-38532", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:27:56.674Z", "dateReserved": "2026-04-06T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webkul:krayin_crm:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C69541F8-F19B-4119-87E0-C9CC655FF002", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request."}], "id": "CVE-2026-38532", "lastModified": "2026-04-23T16:52:55.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T16:16:43.830", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/krayin/laravel-crm"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.2.0,3.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "laravel-crm", "vendor": "krayin"}], "analysis": {"en": {"generated_at": "2026-04-14T20:48:06.053651+00:00", "value": {"mitigation_remediation": ["Upgrade Webkul Krayin CRM to a released version that fixes the authorization flaw. ", "If an update is not yet available, modify the PersonController to verify that the authenticated user owns the contact before allowing read, modify, or delete operations. ", "Limit access to the /Contact/Persons/PersonController.php endpoint to users with the appropriate roles or ownership checks. ", "Monitor authentication and access logs for abnormal activity on contact endpoints. ", "Perform a security audit of the CRM\u2019s access control logic to ensure similar gaps are not present elsewhere."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Modification"}, "threat_synthesis": {"affected_systems": "Webkul Krayin CRM version 2.2.x is vulnerable; all installations employing this version without a patch or mitigated code may be affected.", "description_and_impact": "A broken object\u2011level authorization flaw allows an authenticated user to view, edit, or permanently delete any contact in Webkul Krayin CRM, regardless of ownership. This grants attackers unauthorized access to sensitive personal data and the ability to tamper with or erase records, compromising both confidentiality and integrity of contact information.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, and the vulnerability is exploitable by any authenticated user. Although the EPSS score is not available and the issue is not listed in the KEV catalog, the exposed endpoint can be accessed through normal user authentication, making it potentially easy to exploit in environments with many active users."}}}}, "created": "2026-04-15T15:30:06.833620+00:00", "title": "Webkul Krayin CRM v2.2.x BOLA Enables Authenticated Users to Read, Modify, or Delete Other Users' Contacts", "updated": "2026-04-15T21:03:05.655506+00:00", "vendors": ["krayin", "krayin$PRODUCT$laravel-crm"]}