Cyber Resilience

CVE-2026-38527

High

Published: 14 April 2026

Published
14 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0025 15.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-38527 is a high-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-38527 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x. Published on 2026-04-14, it allows attackers to scan internal resources by supplying a crafted POST request. The issue carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), reflecting its high severity from network-based access, low attack complexity, requirement for low privileges, changed scope, high confidentiality impact, and low integrity impact.

The vulnerability can be exploited by low-privileged authenticated users over the network without user interaction. By sending a malicious POST request to the affected endpoint, attackers can trick the server into making unauthorized requests to internal resources, enabling port scanning, service enumeration, or access to metadata endpoints and other intranet services not intended for external exposure.

Mitigation guidance and further details are available in the security advisory at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527 and the Webkul Krayin CRM repository at https://github.com/krayin/laravel-crm. Security practitioners should review these sources for patches, version upgrades, or workarounds specific to v2.2.x deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF directly enables internal port scanning and service enumeration (T1046) plus access to metadata endpoints (T1522) via crafted server requests to intranet resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25991Shared CWE-918
CVE-2026-42141Shared CWE-918
CVE-2026-30232Shared CWE-918
CVE-2026-31941Shared CWE-918
CVE-2026-34746Shared CWE-918
CVE-2026-32133Shared CWE-918
CVE-2026-4302Shared CWE-918
CVE-2026-40348Shared CWE-918
CVE-2026-28680Shared CWE-918
CVE-2026-28508Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates crafted POST request inputs like webhook URLs to prevent SSRF exploitation by rejecting malicious internal resource targets.

prevent

Enforces information flow policies to block server-side requests to unauthorized internal resources triggered by the vulnerable endpoint.

preventdetect

Implements boundary protection to monitor and control outbound communications from the application server, mitigating SSRF-based internal scanning.

References