CVE-2026-3265
Published: 26 February 2026
Summary
CVE-2026-3265 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Go2Ismail Free-Crm. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).
Deeper analysis
CVE-2026-3265 is an improper authorization vulnerability (CWE-266, CWE-285) in go2ismail Free-CRM up to commit b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. It affects an unknown part of the file /api/Security/ within the Security API component. The issue enables remote exploitation and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges (PR:L) can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized access or modifications within the affected Security API endpoints. A public exploit is available and might be used in attacks.
Advisories on GitHub and VulDB detail the vulnerability, including a proof-of-concept in Free-CRM IDOR.md. The product follows a rolling release strategy, so no specific affected or patched versions are defined. The vendor was notified early but provided no response or mitigation guidance. Security practitioners should monitor for updates in the repository and implement compensating controls like stricter API authorization checks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8925
Vulnerability details
A vulnerability was identified in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. This affects an unknown part of the file /api/Security/ of the component Security API. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The…
more
exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization (IDOR) in public-facing Security API allows low-priv remote attackers to perform unauthorized actions; directly maps to exploiting internet-facing apps for initial access and software exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations on Security API endpoints to block the unauthorized access and modifications enabled by this improper-authorization flaw.
Limits the actions available to low-privilege accounts, reducing the impact of exploitation via the publicly available IDOR-style attack on /api/Security/.
Ensures access-control decisions are enforced consistently for every request to the affected Security API component rather than being bypassed.