CVE-2026-38532

HighPublic PoC

Published: 14 April 2026

Published

14 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38532 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Webkul Krayin Crm. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the missing object-level authorization checks in the PersonController endpoint that allow unauthorized read, modify, and delete of other users' contacts.

AC-24 Access Control Decisions good match

prevent

Implements access control decision logic to authorize access to specific system resources like contacts based on ownership, preventing authenticated attackers from targeting other users' data via crafted requests.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict users to only necessary accesses, limiting the impact of BOLA by ensuring privileges do not extend to other users' contacts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.004 Customer Relationship Management Software Collection

Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

BOLA vuln in public-facing CRM web app enables unauthorized access/modify/delete of contact data, directly facilitating T1190 for exploitation, T1213.004 for CRM data collection, and T1565.001 for stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

Deeper analysisAI

CVE-2026-38532 is a Broken Object-Level Authorization (BOLA) vulnerability, mapped to CWE-639, in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x. Published on 2026-04-14T16:16:43.830, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The issue stems from inadequate authorization checks, allowing authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users through a crafted GET request to the endpoint.

Any authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation grants high-impact unauthorized access to confidentiality (C:H) by reading sensitive contact data, high-impact integrity violations (I:H) via modifications, and permanent deletions, though it does not affect availability (A:N).

Advisories and project details are available at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532 and https://github.com/krayin/laravel-crm. Security practitioners should review these references for any guidance on patches or mitigations.

Details

CWE(s): CWE-639

Affected Products

webkul

krayin crm

2.2.0

CVEs Like This One

CVE-2026-38530Same product: Webkul Krayin Crm

CVE-2026-38529Same product: Webkul Krayin Crm

CVE-2026-21447Same vendor: Webkul

CVE-2026-29189Shared CWE-639

CVE-2025-67325Same vendor: Webkul

CVE-2026-21448Same vendor: Webkul

CVE-2026-21446Same vendor: Webkul

CVE-2026-21449Same vendor: Webkul

CVE-2025-55745Same vendor: Webkul

CVE-2026-21451Same vendor: Webkul

References

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532
Exploit, Mitigation, Third Party Advisory · cve@mitre.org
https://github.com/krayin/laravel-crm
Product · cve@mitre.org