Platform
php
Component
krayin/laravel-crm
Fixed in
2.2.1
CVE-2026-38532 describes a Broken Object-Level Authorization (BOLA) vulnerability within the Krayin CRM software, specifically affecting versions up to 2.2.0. This flaw allows authenticated attackers to bypass access controls and manipulate data belonging to other users. The vulnerability resides in the /Contact/Persons/PersonController.php endpoint and can be exploited by crafting malicious GET requests. A patch is available in version 2.3.0.
The impact of this BOLA vulnerability is significant. An authenticated attacker can leverage it to arbitrarily read, modify, and permanently delete contact information owned by other users within the Krayin CRM system. This could lead to data breaches, unauthorized modifications of customer records, and potential disruption of business operations. The ability to permanently delete data represents a particularly severe risk, potentially causing irreversible damage. While the vulnerability requires authentication, the ease of exploitation once authenticated amplifies the potential for widespread impact within organizations using Krayin CRM.
CVE-2026-38532 was publicly disclosed on April 14, 2026. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively recent disclosure and lack of public exploits, the probability of exploitation is considered medium.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-38532 is to upgrade Krayin CRM to version 2.3.0 or later, which includes the necessary fix. If an immediate upgrade is not feasible, consider implementing stricter access controls within the application to limit the potential impact of the vulnerability. Review and restrict user permissions to the minimum necessary for their roles. Web application firewalls (WAFs) can be configured to detect and block malicious GET requests targeting the /Contact/Persons/PersonController.php endpoint, although this is not a substitute for patching. Monitor application logs for suspicious activity, particularly requests involving contact data manipulation.
Update the Krayin CRM module to version 2.3.0 or higher to mitigate the object-level authorization vulnerability. This update corrects the lack of proper user permission validation, preventing unauthorized access to other users' contact data. Review and strengthen access control policies in your application to prevent similar vulnerabilities in the future.
Vulnerability analysis and critical alerts directly to your inbox.
v2.2.x?CVE-2026-38532 is a Broken Object-Level Authorization vulnerability in Krayin CRM versions up to 2.2.0, allowing attackers to access and modify other users' contact data.
v2.2.x?Yes, if you are using Krayin CRM version 2.2.0 or earlier, you are vulnerable to this BOLA flaw.
v2.2.x?Upgrade Krayin CRM to version 2.3.0 or later to resolve the vulnerability. Implement stricter access controls as an interim measure.
Currently, there is no evidence of active exploitation in the wild, but the vulnerability remains a risk.
Refer to the Krayin CRM official website or security advisories for the latest information and updates regarding CVE-2026-38532.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.