CVE-2026-38529
Published: 14 April 2026
Summary
CVE-2026-38529 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Webkul Krayin Crm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly preventing BOLA by requiring proper checks in the UserController endpoint to block unauthorized password resets.
Mandates access control decisions for specific resources like user accounts, addressing the missing object-level authorization that allows crafted requests for arbitrary password resets.
Applies least privilege to restrict low-privileged authenticated users from performing high-impact actions like resetting other users' passwords.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
BOLA vulnerability in authenticated endpoint allows low-priv users to perform arbitrary password resets, directly enabling account manipulation via credential changes (T1098) and exploitation for privilege escalation by taking over higher-privileged accounts (T1068).
NVD Description
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.
Deeper analysisAI
CVE-2026-38529 is a Broken Object-Level Authorization (BOLA) vulnerability, mapped to CWE-269 and CWE-639, affecting the /Settings/UserController.php endpoint in Webkul Krayin CRM version 2.2.x. It enables authenticated attackers to bypass authorization checks by supplying a crafted HTTP request, allowing arbitrary user password resets. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting a request to the vulnerable endpoint, the attacker can reset the password of any user, leading to full account takeover. This grants unauthorized access to the victim's account, potentially enabling further privilege escalation or data exfiltration within the CRM system.
Mitigation details are outlined in the security advisory available at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529. Security practitioners should consult the Webkul Krayin CRM project repository at https://github.com/krayin/laravel-crm for patches, updates, or workarounds to address this issue in affected v2.2.x deployments.
Details
- CWE(s)