Description
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
Published: 2026-04-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Lead Data Access and Deletion
Action: Patch Immediately
AI Analysis

Impact

A broken object‑level authorization flaw in the LeadController of Webkul Krayin CRM permits an authenticated attacker to supply a crafted GET request that reveals, modifies, or permanently deletes any lead owned by another user. The vulnerability compromises confidentiality by allowing unauthorized read access, integrity through unauthorized modifications, and availability through permanent removal of lead records, affecting all three security categories.

Affected Systems

Webkul Krayin CRM version 2.2.x is affected. The vendor is Webkul and the product is Krayin CRM. No other product or version information is supplied.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS is not available and the issue does not appear in the CISA KEV catalog. The description indicates that the attack requires authentication, so an attacker must log in before exploiting the flaw. The attack can be carried out by sending a specially constructed GET request to the vulnerable endpoint. Given the high impact and the need for authentication, the risk is substantial for systems where many users have access to the application.

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Webkul Krayin CRM to the latest release that removes the object‑level authorization flaw.
  • If an update is not immediately available, restrict access to the Lead CRUD endpoints and implement server‑side checks to confirm that a lead belongs to the authenticated user before allowing read, modify, or delete operations.
  • Monitor application logs for unexpected GET requests to the LeadController endpoint and investigate any anomalies.
  • Follow vendor advisories and apply any interim security measures they recommend until a patch is released.

Generated by OpenCVE AI on April 14, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rm5f-3c25-p4cw Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php
History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Broken Object‑Level Authorization in Webkul Krayin CRM Exposes Lead Data
Weaknesses CWE-284
CWE-639

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

Krayin Laravel-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:28:56.838Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38530

cve-icon Vulnrichment

Updated: 2026-04-14T17:28:28.408Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:43.697

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-38530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:06Z

Weaknesses