Description
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
Published: 2026-04-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Apply Patch
AI Analysis

Impact

A broken object‑level authorization flaw allows an authenticated user to view, edit, or permanently delete any contact in Webkul Krayin CRM, regardless of ownership. This grants attackers unauthorized access to sensitive personal data and the ability to tamper with or erase records, compromising both confidentiality and integrity of contact information.

Affected Systems

Webkul Krayin CRM version 2.2.x is vulnerable; all installations employing this version without a patch or mitigated code may be affected.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the vulnerability is exploitable by any authenticated user. Although the EPSS score is not available and the issue is not listed in the KEV catalog, the exposed endpoint can be accessed through normal user authentication, making it potentially easy to exploit in environments with many active users.

Generated by OpenCVE AI on April 14, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Webkul Krayin CRM to a released version that fixes the authorization flaw.
  • If an update is not yet available, modify the PersonController to verify that the authenticated user owns the contact before allowing read, modify, or delete operations.
  • Limit access to the /Contact/Persons/PersonController.php endpoint to users with the appropriate roles or ownership checks.
  • Monitor authentication and access logs for abnormal activity on contact endpoints.
  • Perform a security audit of the CRM’s access control logic to ensure similar gaps are not present elsewhere.

Generated by OpenCVE AI on April 14, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2xx8-j85v-j7wh Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php
History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Krayin
Krayin laravel-crm
Vendors & Products Krayin
Krayin laravel-crm

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Webkul Krayin CRM v2.2.x BOLA Enables Authenticated Users to Read, Modify, or Delete Other Users' Contacts

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

Krayin Laravel-crm
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T17:27:56.674Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38532

cve-icon Vulnrichment

Updated: 2026-04-14T17:27:30.200Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:43.830

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-38532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:05Z

Weaknesses