Home / Vulnerability Intelligence / CVE-2026-5652

CVE-2026-5652 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: April 21, 2026

Crafty Controller - Broken Access Control

Published: April 21, 2026Updated: April 21, 2026Remote Exploitable

Overview

Crafty Controller contains an insecure direct object reference caused by improper API permissions validation in the Users API component, letting remote authenticated attackers modify user data.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Remote authenticated attackers can modify user data, potentially leading to unauthorized changes or privilege escalation.

Mitigation

Update to the latest version with proper API permissions validation.

References

https://gitlab.com/crafty-controller/crafty-4/-/work_items/705

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 21, 2026

🔴 CVE-2026-5652 - Critical (9) An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-5652/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-5652
Severity: Critical
CVSS Score: 9.0
Type: broken_access_control
Status: new
EPSS: 0.0%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

EPSS Score

0.0%Probability of exploitation in the next 30 days