Cyber Resilience

CVE-2026-38532

HighPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 26.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-38532 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Webkul Krayin Crm. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-38532 is a Broken Object-Level Authorization (BOLA) vulnerability, mapped to CWE-639, in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x. Published on 2026-04-14T16:16:43.830, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The issue stems from inadequate authorization checks, allowing authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users through a crafted GET request to the endpoint.

Any authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation grants high-impact unauthorized access to confidentiality (C:H) by reading sensitive contact data, high-impact integrity violations (I:H) via modifications, and permanent deletions, though it does not affect availability (A:N).

Advisories and project details are available at https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532 and https://github.com/krayin/laravel-crm. Security practitioners should review these references for any guidance on patches or mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.004 Customer Relationship Management Software Collection
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

BOLA vuln in public-facing CRM web app enables unauthorized access/modify/delete of contact data, directly facilitating T1190 for exploitation, T1213.004 for CRM data collection, and T1565.001 for stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38530Same product: Webkul Krayin Crm
CVE-2026-38529Same product: Webkul Krayin Crm
CVE-2026-21447Same vendor: Webkul
CVE-2026-29189Shared CWE-639
CVE-2025-67325Same vendor: Webkul
CVE-2026-21448Same vendor: Webkul
CVE-2026-21446Same vendor: Webkul
CVE-2025-55745Same vendor: Webkul
CVE-2026-21451Same vendor: Webkul
CVE-2026-21450Same vendor: Webkul

Affected Assets

webkul
krayin crm
2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly addressing the missing object-level authorization checks in the PersonController endpoint that allow unauthorized read, modify, and delete of other users' contacts.

prevent

Implements access control decision logic to authorize access to specific system resources like contacts based on ownership, preventing authenticated attackers from targeting other users' data via crafted requests.

prevent

Employs least privilege to restrict users to only necessary accesses, limiting the impact of BOLA by ensuring privileges do not extend to other users' contacts.

References