Insecure Direct Object Reference in Krayin CRM by Krayin
CVE-2026-61460
Key Information:
- Vendor
Krayin
- Status
- Vendor
- CVE Published:
- 10 July 2026
Badges
What is CVE-2026-61460?
Krayin CRM versions up to 2.2.3 are susceptible to an insecure direct object reference vulnerability affecting several key controllers, including LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. This flaw enables authenticated users to gain unauthorized access to alter, update, or delete records belonging to other users. The absence of robust record-level ownership checks in the edit, update, and destroy methods creates an opportunity for attackers to modify essential CRM data and reassign ownership, thereby jeopardizing data integrity and security.
Affected Version(s)
laravel-crm 0 <= 2.2.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
