Cyber Resilience

CVE-2026-38529

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0062 45.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-38529 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Webkul Krayin Crm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-38529 is a Broken Object-Level Authorization (BOLA) vulnerability, mapped to CWE-269 and CWE-639, affecting the /Settings/UserController.php endpoint in Webkul Krayin CRM version 2.2.x. It enables authenticated attackers to bypass authorization checks by supplying a crafted HTTP request, allowing arbitrary user password resets. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting a request to the vulnerable endpoint, the attacker can reset the password of any user, leading to full account takeover. This grants unauthorized access to the victim's account, potentially enabling further privilege escalation or data exfiltration within the CRM system.

Mitigation details are outlined in the security advisory available at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529. Security practitioners should consult the Webkul Krayin CRM project repository at https://github.com/krayin/laravel-crm for patches, updates, or workarounds to address this issue in affected v2.2.x deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

BOLA vulnerability in authenticated endpoint allows low-priv users to perform arbitrary password resets, directly enabling account manipulation via credential changes (T1098) and exploitation for privilege escalation by taking over higher-privileged accounts (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38532Same product: Webkul Krayin Crm
CVE-2026-38530Same product: Webkul Krayin Crm
CVE-2026-21447Same vendor: Webkul
CVE-2025-67325Same vendor: Webkul
CVE-2025-15096Shared CWE-639
CVE-2026-21448Same vendor: Webkul
CVE-2026-21450Same vendor: Webkul
CVE-2026-21446Same vendor: Webkul
CVE-2026-21451Same vendor: Webkul
CVE-2026-21449Same vendor: Webkul

Affected Assets

webkul
krayin crm
2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to system resources, directly preventing BOLA by requiring proper checks in the UserController endpoint to block unauthorized password resets.

prevent

Mandates access control decisions for specific resources like user accounts, addressing the missing object-level authorization that allows crafted requests for arbitrary password resets.

prevent

Applies least privilege to restrict low-privileged authenticated users from performing high-impact actions like resetting other users' passwords.

References