Description
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
Published: 2026-04-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Account takeover
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Broken Object-Level Authorization flaw located in the /Settings/UserController.php endpoint of Webkul Krayin CRM. An authenticated attacker can send a crafted HTTP request to reset any user’s password, thereby gaining full control over that account. This is an improper access control weakness that can lead to complete account compromise.

Affected Systems

Webkul Krayin CRM version 2.2.x is affected. No other vendors or product versions are listed. The flaw exists specifically in the Settings controller handling user data within that version.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, with potential for full account takeover. Because the flaw requires an already authenticated session, it is not a remote unauthenticated vulnerability, but once the attacker has basic credentials they can exploit the weakness. No EPSS data is available, and the flaw is not yet listed in the CISA KEV catalog, suggesting it may not be publicly exploited yet; however, its high CVSS score makes it a priority for mitigation.

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Webkul Krayin CRM that removes the exposed password reset capability or corrects the access control in the Settings controller.
  • If an upgrade is not possible, revoke or invalidate all active user sessions and reset passwords for all users to prevent unauthorized access.
  • Review and enforce proper authentication checks on the /Settings/UserController.php endpoint to ensure only the account owner can reset their password.

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-639
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Password Reset via Broken Object-Level Authorization in Webkul Krayin CRM
Weaknesses CWE-284

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:31:13.560Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38529

cve-icon Vulnrichment

Updated: 2026-04-14T17:30:56.626Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:43.557

Modified: 2026-04-14T18:17:37.847

Link: CVE-2026-38529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:37Z

Weaknesses