CVE-2026-3265
Published: 26 February 2026
Summary
CVE-2026-3265 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Go2Ismail Free-Crm. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documented procedures facilitate correct implementation and ongoing management of authorization decisions.
Periodic reviews identify and correct flaws in authorization decisions or enforcement.
Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.
The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.
Ensures privileges are assigned only as necessary rather than incorrectly over-granted.
The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.
Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.
Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization (IDOR) in public-facing Security API allows low-priv remote attackers to perform unauthorized actions; directly maps to exploiting internet-facing apps for initial access and software exploitation for privilege escalation.
NVD Description
A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The…
more
exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-3265 is an improper authorization vulnerability (CWE-266, CWE-285) in go2ismail Free-CRM up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. It affects an unknown part of the file /api/Security/ within the Security API component. The issue enables remote exploitation and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges (PR:L) can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access or modifications within the affected Security API endpoints. A public exploit is available and might be used in attacks.
Advisories on GitHub and VulDB detail the vulnerability, including a proof-of-concept in Free-CRM IDOR.md. The product follows a rolling release strategy, so no specific affected or patched versions are defined. The vendor was notified early but provided no response or mitigation guidance. Security practitioners should monitor for updates in the repository and implement compensating controls like stricter API authorization checks.
Details
- CWE(s)