CVE-2026-38529: A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allo

Description

A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.

Affected Products

Vendor	Product	Versions
webkul	krayin crm	n/a

References

Related News (1 articles)

Tier C

VulDB22h ago

CVE-2026-38529 | Krayin CRM 2.2.x HTTP UserController.php improper authentication

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-269, CWE-639

PublishedApr 14, 2026

Last enriched13h agov2

Community Vote

Version History

Last enriched 13h ago

v2Tier C22h ago

Updated severity to CRITICAL, marked as actively exploited, and added tag for improper authentication.

severityactivelyExploitedtags

via VulDB

v123h ago

Initial creation

CVE-2026-38529: A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allo

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History