Broken Object-Level Authorization in Webkul Krayin CRM Software
CVE-2026-38529

8.8HIGH

Key Information:

Vendor: Webkul
Status: Krayin CRM
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-38529?

A critical flaw exists in the Webkul Krayin CRM software that allows authenticated users to exploit the /Settings/UserController.php endpoint. Through this vulnerability, attackers can reset user passwords without authorization, leading to potential account takeovers. This security issue emphasizes the importance of robust access controls in web applications to prevent unauthorized account access and protect user data.

References

https://github.com/krayin/laravel-crm

https://github.com/TREXNEGRO/Security-Advisories/tree/mai...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38529 Data

JSON