Plattform
php
Komponente
krayin/laravel-crm
Behoben in
2.2.1
CVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) vulnerability within the Krayin CRM system, specifically affecting versions up to 2.2.0. This flaw allows authenticated attackers to maliciously reset user passwords, leading to complete account takeover. The vulnerability resides in the /Settings/UserController.php endpoint and has been addressed in version 2.3.0.
The impact of CVE-2026-38529 is significant, enabling an attacker with valid credentials to compromise any user account within the Krayin CRM system. By exploiting this BOLA vulnerability, an attacker can craft a malicious HTTP request to reset a target user's password without proper authorization checks. This effectively grants the attacker full control over the compromised account, including access to sensitive customer data, configuration settings, and potentially other connected systems. The blast radius extends to all users of the affected Krayin CRM instances, and the ease of exploitation makes it a high-priority concern.
CVE-2026-38529 was publicly disclosed on April 14, 2026. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the potential for significant impact warrant immediate attention. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-38529 is to immediately upgrade Krayin CRM to version 2.3.0 or later, which includes the necessary authorization checks to prevent password resets without proper validation. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting access to the /Settings/UserController.php endpoint to only authorized administrators. Review user access controls and enforce strong password policies. Monitor logs for suspicious password reset activity. After upgrading, confirm the fix by attempting a password reset with a non-administrator account and verifying that the action is denied.
Aktualisieren Sie auf Version 2.3.0 oder höher von Krayin CRM, um die Vulnerabilität zu mindern. Dieses Update behebt die Objekt-Level-Autorisierung (BOLA) im /Settings/UserController.php Endpoint und verhindert so die unautorisierte Manipulation von Benutzerpasswörtern und die Kontoverwaltung.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
BOLA stands for Broken Object-Level Authorization, a type of security vulnerability where the application does not properly verify if a user has permission to access a specific object.
If immediate updating is not possible, implement additional security measures like 2FA and review access permissions.
Yes, this vulnerability affects all Krayin CRM installations using version v2.2.x.
Check the version of krayin/laravel-crm installed on your system. If it is v2.2.x, it is vulnerable.
You can find more information about CVE-2026-38529 in vulnerability databases such as the National Vulnerability Database (NVD).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.