Description
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
Published: 2026-04-14
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Apply Patch
AI Analysis

Impact

A broken object‑level authorization flaw exists in the /Settings/UserController.php endpoint of Webkul Krayin CRM version 2.2.x. The flaw allows an attacker who has already authenticated to reset the password of any user by sending a crafted HTTP request. The ability to change a user’s password gives the attacker full control of that account, effectively enabling a complete account takeover.

Affected Systems

Webkul Krayin CRM 2.2.x is the only product noted as affected. No other vendors or product versions are listed.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating high severity. The EPSS score is < 1%, representing a very low but non‑zero exploitation probability, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated session and the delivery of a crafted HTTP request to the exposed endpoint. Given the high severity score and the need for authentication, the risk is substantial for systems that use the vulnerable version.

Generated by OpenCVE AI on April 15, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Confirm whether your installation runs Webkul Krayin CRM v2.2.x or a prior vulnerable release.
  • If a patch or newer non‑vulnerable version is available, upgrade immediately.
  • If no patch is available, modify /Settings/UserController.php to ensure that the authenticated user’s ID matches the target account’s ID and that the user has appropriate permissions, addressing CWE‑269 and preventing manipulation of the user ID via request parameters, addressing CWE‑639.
  • Alternatively, restrict access to the password reset endpoint to administrators only or block the endpoint until a full fix is applied.
  • Actively monitor authentication and password‑reset logs for suspicious activity and reset credentials for any accounts that may have been compromised.

Generated by OpenCVE AI on April 15, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r8rp-5f55-5j9x Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php
History

Thu, 23 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Webkul
Webkul krayin Crm
CPEs cpe:2.3:a:webkul:krayin_crm:2.2.0:*:*:*:*:*:*:*
Vendors & Products Webkul
Webkul krayin Crm

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title Broken Object-Level Authorization Allows Authenticated Password Reset and Account Takeover

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Authenticated Password Reset via Broken Object-Level Authorization in Webkul Krayin CRM
Weaknesses CWE-284

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-639
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Password Reset via Broken Object-Level Authorization in Webkul Krayin CRM
Weaknesses CWE-284

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

Krayin Laravel-crm
Webkul Krayin Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:31:13.560Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38529

cve-icon Vulnrichment

Updated: 2026-04-14T17:30:56.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T16:16:43.557

Modified: 2026-04-23T16:53:45.740

Link: CVE-2026-38529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses