PT-2026-32683 · Webkul · Krayin Crm

Trexnegro

Published

2026-04-14

Updated

2026-04-19

CVE-2026-38529

CVSS v3.1

8.8

High

Vector

AC:L/AV:N/A:H/C:H/I:H/PR:L/S:U/UI:N

Name of the Vulnerable Software and Affected Versions Webkul Krayin CRM versions 2.2.x

Description A Broken Object-Level Authorization (BOLA) exists in the '/Settings/UserController.php' endpoint. This allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover by supplying a crafted HTTP request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Privilege Management

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-639

Related Identifiers

CVE-2026-38529

GHSA-R8RP-5F55-5J9X

Affected Products

Krayin Crm

PT-2026-32683 · Webkul · Krayin Crm

CVE-2026-38529

Weakness Enumeration

Related Identifiers

Affected Products

References · 5