Home / Vulnerability Intelligence / CVE-2026-38532

CVE-2026-38532 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 14, 2026

Webkul Krayin CRM - Broken Access Control

Published: April 14, 2026Updated: April 14, 2026Remote Exploitable

Overview

Webkul Krayin CRM v2.2.x contains a broken access control caused by insufficient authorization checks in /Contact/Persons/PersonController.php, letting authenticated attackers read, modify, and delete contacts of other users, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated attackers can read, modify, and delete contacts owned by other users, leading to data loss and unauthorized data access.

Mitigation

Update to the latest version that patches this authorization issue.

References

https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532
https://github.com/krayin/laravel-crm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-38532
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N