CVE-2026-38530

HighPublic PoC

Published: 14 April 2026

Published

14 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38530 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Webkul Krayin Crm. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to resources like leads, directly preventing BOLA by requiring object-level ownership checks in the LeadController endpoint.

AC-24 Access Control Decisions good match

prevent

Determines and authorizes access to specific system resources such as leads based on access control policies, ensuring decisions verify user ownership before read, modify, or delete operations.

AC-25 Reference Monitor good match

prevent

Implements a tamper-proof reference monitor mechanism to mediate and enforce access control policies on lead objects, blocking crafted requests that bypass authorization.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The BOLA vulnerability in the public-facing Webkul Krayin CRM web application endpoint directly enables remote exploitation of the application via crafted requests to bypass authorization and access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

Deeper analysisAI

CVE-2026-38530 is a Broken Object-Level Authorization (BOLA) vulnerability, classified under CWE-639, affecting the /Controllers/Lead/LeadController.php endpoint in Webkul Krayin CRM version 2.2.x. It enables authenticated attackers to bypass authorization checks by supplying a crafted GET request, allowing unauthorized access to leads owned by other users. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Authenticated users with low privileges (PR:L) can exploit this issue remotely over the network without user interaction. By crafting a GET request to the affected endpoint, attackers can arbitrarily read sensitive lead data belonging to other users, modify lead details, or permanently delete them, potentially leading to data leakage, tampering, or loss across the CRM system.

Advisories and related resources are available at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530 and the project's repository at https://github.com/krayin/laravel-crm, published on 2026-04-14.