CVE-2026-38527
Published: 14 April 2026
Summary
CVE-2026-38527 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates crafted POST request inputs like webhook URLs to prevent SSRF exploitation by rejecting malicious internal resource targets.
Enforces information flow policies to block server-side requests to unauthorized internal resources triggered by the vulnerable endpoint.
Implements boundary protection to monitor and control outbound communications from the application server, mitigating SSRF-based internal scanning.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables internal port scanning and service enumeration (T1046) plus access to metadata endpoints (T1522) via crafted server requests to intranet resources.
NVD Description
A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.
Deeper analysisAI
CVE-2026-38527 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x. Published on 2026-04-14, it allows attackers to scan internal resources by supplying a crafted POST request. The issue carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting its high severity from network-based access, low attack complexity, requirement for low privileges, changed scope, high confidentiality impact, and low integrity impact.
The vulnerability can be exploited by low-privileged authenticated users over the network without user interaction. By sending a malicious POST request to the affected endpoint, attackers can trick the server into making unauthorized requests to internal resources, enabling port scanning, service enumeration, or access to metadata endpoints and other intranet services not intended for external exposure.
Mitigation guidance and further details are available in the security advisory at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527 and the Webkul Krayin CRM repository at https://github.com/krayin/laravel-crm. Security practitioners should review these sources for patches, version upgrades, or workarounds specific to v2.2.x deployments.
Details
- CWE(s)