Platform
php
Component
krayin/laravel-crm
Fixed in
2.2.1
CVE-2026-38530 describes a Broken Object-Level Authorization (BOLA) vulnerability discovered in Webkul Krayin CRM versions 2.2.0 and earlier. This flaw allows authenticated attackers to bypass access controls and manipulate sensitive lead data belonging to other users. The vulnerability impacts installations of Krayin CRM running on PHP and is addressed with an upgrade to version 2.3.0.
The BOLA vulnerability in Krayin CRM allows an authenticated attacker to gain unauthorized access to lead data. By crafting specific GET requests, an attacker can read, modify, and permanently delete any lead record, regardless of ownership. This represents a significant data integrity and confidentiality risk. An attacker could potentially steal sensitive customer information, alter lead statuses to manipulate sales pipelines, or completely erase critical data. The blast radius extends to all users of the CRM system, as any authenticated user could be targeted. This vulnerability shares similarities with other BOLA flaws where improper authorization checks lead to unauthorized data manipulation.
CVE-2026-38530 was publicly disclosed on 2026-04-14. The vulnerability's severity is rated HIGH (CVSS 8.1). No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of the BOLA vulnerability suggests that exploitation is relatively straightforward for skilled attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-38530 is to upgrade Krayin CRM to version 2.3.0 or later, which contains the necessary fixes. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict access to the /Controllers/Lead/LeadController.php endpoint using a Web Application Firewall (WAF) or proxy to filter requests based on user ID and ensure proper authorization checks are enforced. Review and strengthen access control mechanisms within the application to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to access and modify lead records belonging to other users – access should be denied.
Update the Krayin CRM module to version 2.3.0 or higher to mitigate the object-level authorization vulnerability. Verify and strengthen authorization checks in the /Controllers/Lead/LeadController.php endpoint to ensure that users can only access data they are authorized to.
Vulnerability analysis and critical alerts directly to your inbox.
v2.2.x?CVE-2026-38530 is a Broken Object-Level Authorization vulnerability in Krayin CRM versions 2.2.0 and earlier, allowing attackers to manipulate other users' lead data.
v2.2.x?Yes, if you are using Krayin CRM version 2.2.0 or earlier, you are vulnerable to this BOLA flaw.
v2.2.x?Upgrade Krayin CRM to version 2.3.0 or later to resolve the vulnerability. Implement WAF rules as a temporary workaround if upgrading is not immediately possible.
While no public exploits are currently known, the vulnerability's nature suggests it is likely to be targeted by attackers.
Refer to the Webkul security advisory page for the latest information and updates regarding CVE-2026-38530.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.