Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Webkul Krayin CRM v2.2.x: Unauthorized Access to Other Users' Contacts
CVE-2026-38532
Summary
An attacker who has logged in to Webkul Krayin CRM can access, edit, or delete any contact that belongs to other users. This happens because the system does not properly check permissions. To fix this, update to the latest version of Webkul Krayin CRM or apply the provided patch to the /Contact/Persons/PersonController.php file.
Original title
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanen...
Original description
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.
nvd CVSS3.1
8.1
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026