CVE-2026-3264
Published: 26 February 2026
Summary
CVE-2026-3264 is a medium-severity EAR (CWE-698) vulnerability in Go2Ismail Free-Crm. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-3264 is a vulnerability in go2ismail Free-CRM up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1, affecting some unknown functionality of the Administrative Interface component. The issue enables execution after redirect, associated with CWE-698 and CWE-705, and carries a CVSS 3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A remote attacker with low privileges can exploit this vulnerability in an attack scenario requiring low complexity and no user interaction. Successful exploitation leads to low-level impacts on confidentiality, integrity, and availability, with the exploit publicly disclosed and potentially utilizable in the wild.
Advisories, including a GitHub entry on privilege escalation via client-side redirect authorization bypass and VulDB reports, indicate no patches or updated releases are available due to the product's rolling release model, which lacks version information for affected or fixed instances. The vendor was contacted early but provided no response.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8924
Vulnerability details
A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely. The exploit…
more
has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly described as enabling privilege escalation via client-side redirect authorization bypass (CWE-698/705) in the administrative interface, directly matching T1068 Exploitation for Privilege Escalation. No other techniques are directly facilitated by the described flaw.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control policy on the administrative interface so that a redirect cannot be used to bypass authorization checks and reach protected functionality.
Enforces information-flow rules that would block unauthorized control flow from an untrusted redirect target back into privileged administrative code paths.
Requires validation of redirect-related inputs (URLs, parameters) so that an attacker-supplied redirect cannot cause execution of code after the redirect.