{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5652", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-04-06T05:03:53.661Z", "datePublished": "2026-04-21T16:33:56.878Z", "dateUpdated": "2026-04-21T17:22:27.276Z"}, "containers": {"cna": {"title": "Authorization Bypass Through User-Controlled Key in Crafty Controller", "descriptions": [{"lang": "en", "value": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation."}], "affected": [{"vendor": "Arcadia Technology, LLC", "product": "Crafty Controller", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.10.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW", "baseScore": 9, "baseSeverity": "CRITICAL"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.10.3"}], "credits": [{"lang": "en", "value": "Thank you to [Kacper Leszczy\u0144ski / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue.", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-21T16:33:56.878Z"}}, "adp": [{"references": [{"url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:21:48.540617Z", "id": "CVE-2026-5652", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:22:27.276Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftycontrol:crafty_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AF622FA-E870-4D51-AB37-004E3574004C", "versionEndExcluding": "4.10.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation."}], "id": "CVE-2026-5652", "lastModified": "2026-04-27T19:47:08.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:57.793", "references": [{"source": "cve@gitlab.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "cve@gitlab.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.10.2]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Crafty Controller", "source": "cna", "vendor": "Arcadia Technology, LLC"}, "product": "crafty_controller", "vendor": "arcadia_technology"}], "analysis": {"en": {"generated_at": "2026-04-21T22:39:03.707414+00:00", "value": {"mitigation_remediation": ["Update Crafty Controller to version 4.10.3 or newer.", "Verify that the Users API endpoints enforce correct permission checks and that no arbitrary user identifiers are accepted without validation.", "Apply the principle of least privilege to user roles and restrict API access to trusted users or network segments."], "summary": {"action": "Apply Patch", "impact": "Unauthorized user modification via direct object reference"}, "threat_synthesis": {"affected_systems": "Vendors Arcadia Technology, LLC, product Crafty Controller. All releases prior to version 4.10.3 are affected, as the vulnerability exists in the Users API component before that patch.", "description_and_impact": "An insecure direct object reference in the Users API allows a remote, authenticated attacker to perform user modification actions through improper permission validation. This flaw can lead to unauthorized changes in user data, enabling privilege escalation or data tampering, compromising both data integrity and confidentiality. The weakness is a classic authorization bypass (CWE-639).", "risk_and_exploitability": "The CVSS score of 9 indicates a critical severity. The exploit requires authentication but can be performed remotely via the exposed API, making it feasible for attackers with valid credentials. No EPSS data is available, and the issue is not currently listed in the CISA KEV catalog. Attackers can use the compromised endpoint to modify other users, potentially granting further access or manipulating sensitive information."}}}}, "created": "2026-04-21T18:00:11.237220+00:00", "updated": "2026-04-21T22:45:16.058634+00:00", "vendors": ["arcadia_technology", "arcadia_technology$PRODUCT$crafty_controller"]}