Home / Vulnerability Intelligence / CVE-2026-38530

CVE-2026-38530 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 14, 2026

Webkul Krayin CRM - Broken Access Control

Published: April 14, 2026Updated: April 14, 2026Remote Exploitable

Overview

Webkul Krayin CRM v2.2.x contains a broken access control caused by improper object-level authorization in /Controllers/Lead/LeadController.php, letting authenticated attackers read, modify, and delete leads owned by other users, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated attackers can read, modify, and delete leads owned by other users, leading to data loss and unauthorized data access.

Mitigation

Update to the latest version of Webkul Krayin CRM.

References

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530
https://github.com/krayin/laravel-crm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-38530
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N