Platform
php
Component
krayin/laravel-crm
Fixed in
2.2.1
CVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) vulnerability found in the /Settings/UserController.php endpoint of Webkul Krayin CRM. This flaw allows authenticated attackers to manipulate user passwords and ultimately gain complete control over user accounts. The vulnerability impacts versions of Krayin CRM up to 2.2.0, and a patch is available in version 2.3.0.
CVE-2026-38529 in krayin/laravel-crm (v2.2.x versions) poses a significant security risk. This is a Broken Object-Level Authorization (BOLA) vulnerability located in the /Settings/UserController.php endpoint. An authenticated attacker, with access to the application, can exploit this vulnerability to arbitrarily reset user passwords. This allows the attacker to take full account takeover, compromising sensitive data, performing unauthorized actions, and potentially damaging the organization's reputation. The vulnerability is rated with a CVSS score of 8.8, indicating a high risk. The root cause is a lack of proper permission validation before performing the password reset operation.
An authenticated attacker within the Krayin CRM system can exploit this vulnerability by sending a carefully crafted HTTP request to the /Settings/UserController.php endpoint. The request should include parameters that allow the attacker to specify the user whose password they wish to reset, without requiring the current password or any other form of additional verification. The lack of validation of the attacker’s user permissions allows the request to be processed and the password reset, granting the attacker full control of the target user's account. The success of exploitation depends on the attacker having authenticated access to the system, but does not require elevated administrative privileges.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The recommended solution to mitigate CVE-2026-38529 is to immediately update to version 2.3.0 of krayin/laravel-crm. This version includes a fix that addresses the authorization flaw. While performing the update, it is recommended to implement additional security measures, such as enabling two-factor authentication (2FA) for all users, reviewing user access permissions, and monitoring for suspicious activity within the system. Furthermore, it is crucial to review and strengthen password policies to ensure they are robust and difficult to guess. The update should be prioritized to minimize the risk of exploitation.
Update to version 2.3.0 or higher of Krayin CRM to mitigate the vulnerability. This update fixes the Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint, preventing unauthorized user password manipulation and account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
BOLA stands for Broken Object-Level Authorization, a type of security vulnerability where the application does not properly verify if a user has permission to access a specific object.
If immediate updating is not possible, implement additional security measures like 2FA and review access permissions.
Yes, this vulnerability affects all Krayin CRM installations using version v2.2.x.
Check the version of krayin/laravel-crm installed on your system. If it is v2.2.x, it is vulnerable.
You can find more information about CVE-2026-38529 in vulnerability databases such as the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.