CVE-2026-38532

Name of the Vulnerable Software and Affected Versions Webkul Krayin CRM versions 2.2.x

Description A Broken Object-Level Authorization (BOLA) issue exists in the '/Contact/Persons/PersonController.php' endpoint. This allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users by supplying a crafted GET request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.