CVE-2026-38527
Server-Side Request Forgery in Webkul Krayin CRM Webhooks
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webkul | krayin_crm | 2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38527 is a Server-Side Request Forgery (SSRF) vulnerability in Webkul Krayin CRM version 2.2.x, specifically in the webhook automation feature at /settings/webhooks/create.
The vulnerability occurs because the webhook's end_point parameter accepts attacker-controlled URLs without validating or restricting access to internal network addresses.
An authenticated attacker with low privileges can create a webhook pointing to internal IP addresses or cloud metadata services. When triggered, the server sends HTTP requests to these internal addresses, allowing the attacker to scan internal resources, enumerate services, and potentially access sensitive cloud metadata APIs to retrieve credentials.
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality by allowing attackers to read responses from internal services that are normally inaccessible.
It can enable attackers to scan and enumerate internal network resources and potentially access sensitive cloud metadata services to retrieve IAM credentials.
The integrity impact is low, as attackers might trigger state changes on internal services, but availability is not directly affected.
The scope of the impact is changed, meaning the attack can affect systems beyond the CRM application itself, including internal network infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SSRF vulnerability can be detected by monitoring for unusual POST requests to the /settings/webhooks/create endpoint that include webhook URLs pointing to internal IP addresses such as 127.0.0.1, 10.0.0.1, or cloud metadata service IPs like 169.254.169.254.
Commands to detect exploitation attempts may include inspecting web server logs for POST requests with suspicious 'end_point' parameters targeting internal IP ranges.
- Use grep or similar tools to search logs for webhook creation attempts with internal IPs, e.g., `grep -i 'end_point.*10\.' /var/log/webserver/access.log`
- Monitor network traffic for outbound HTTP requests from the CRM server to internal IP addresses triggered by webhook events.
- Use tools like tcpdump or Wireshark to capture and analyze HTTP requests originating from the CRM server to internal or cloud metadata IPs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing strict validation and restrictions on the webhook 'end_point' parameter to prevent requests to internal IP ranges and cloud metadata endpoints.
- Apply a URL allowlist to restrict webhook URLs to approved external domains only.
- Reject webhook URLs that point to private IP ranges (10.x.x.x, 172.16.x.xβ172.31.x.x, 192.168.x.x), loopback addresses (127.x.x.x), link-local addresses (169.254.x.x), or cloud metadata service IPs.
- Implement DNS rebinding protection by resolving webhook URLs at configuration time and blocking disallowed IPs.
- Route outbound webhook requests through an egress proxy that enforces IP blocklists.
- Disable SSRF-prone URL schemes such as file://, gopher://, dict://, etc.
Using webhook secrets can help validate legitimate webhook requests but does not prevent SSRF itself.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SSRF vulnerability in Webkul Krayin CRM allows attackers to access internal network resources and potentially sensitive cloud metadata services, which can lead to unauthorized disclosure of confidential information.
Such unauthorized access and potential data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information from unauthorized access.
Because the vulnerability enables attackers to read internal service responses and possibly retrieve IAM credentials, it increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these standards.