Insecure Direct Object Reference Vulnerability in Crafty Controller
CVE-2026-5652

9CRITICAL

Key Information:

Vendor: Arcadia Technology, Llc
Status: Crafty Controller
Vendor: CVE Published:; 21 April 2026

🔔 Create Arcadia Technology, Llc Vulnerability Alert

What is CVE-2026-5652?

An exposure within the Users API of Crafty Controller permits a remote, authenticated attacker to manipulate user data due to insufficient validation of API permissions. This flaw could lead to unauthorized modifications, making it essential for users to review their API security practices.

Affected Version(s)

Crafty Controller 0 <= 4.10.2

References

https://gitlab.com/crafty-controller/crafty-4/-/work_item...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 6, 2026

Credit

Thank you to [Kacper Leszczyński / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue.

CVE-2026-5652 Data

JSON