Description
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Published: 2026-04-21
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized user modification via direct object reference
Action: Apply Patch
AI Analysis

Impact

An insecure direct object reference in the Users API allows a remote, authenticated attacker to perform user modification actions through improper permission validation. This flaw can lead to unauthorized changes in user data, enabling privilege escalation or data tampering, compromising both data integrity and confidentiality. The weakness is a classic authorization bypass (CWE-639).

Affected Systems

Vendors Arcadia Technology, LLC, product Crafty Controller. All releases prior to version 4.10.3 are affected, as the vulnerability exists in the Users API component before that patch.

Risk and Exploitability

The CVSS score of 9 indicates a critical severity. The exploit requires authentication but can be performed remotely via the exposed API, making it feasible for attackers with valid credentials. No EPSS data is available, and the issue is not currently listed in the CISA KEV catalog. Attackers can use the compromised endpoint to modify other users, potentially granting further access or manipulating sensitive information.

Generated by OpenCVE AI on April 21, 2026 at 22:39 UTC.

Remediation

Vendor Solution

Upgrade to version 4.10.3

OpenCVE Recommended Actions

  • Update Crafty Controller to version 4.10.3 or newer.
  • Verify that the Users API endpoints enforce correct permission checks and that no arbitrary user identifiers are accepted without validation.
  • Apply the principle of least privilege to user roles and restrict API access to trusted users or network segments.

Generated by OpenCVE AI on April 21, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Arcadia Technology
Arcadia Technology crafty Controller
Vendors & Products Arcadia Technology
Arcadia Technology crafty Controller

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Title Authorization Bypass Through User-Controlled Key in Crafty Controller
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Arcadia Technology Crafty Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-21T17:22:27.276Z

Reserved: 2026-04-06T05:03:53.661Z

Link: CVE-2026-5652

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:57.793

Modified: 2026-04-21T18:16:53.633

Link: CVE-2026-5652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses