Executive Summary

CVE-2026-38527 is a Server-Side Request Forgery (SSRF) vulnerability in Webkul Krayin CRM version 2.2.x, specifically in the webhook automation feature at /settings/webhooks/create.

The vulnerability occurs because the webhook's end_point parameter accepts attacker-controlled URLs without validating or restricting access to internal network addresses.

An authenticated attacker with low privileges can create a webhook pointing to internal IP addresses or cloud metadata services. When triggered, the server sends HTTP requests to these internal addresses, allowing the attacker to scan internal resources, enumerate services, and potentially access sensitive cloud metadata APIs to retrieve credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a high impact on confidentiality by allowing attackers to read responses from internal services that are normally inaccessible.

It can enable attackers to scan and enumerate internal network resources and potentially access sensitive cloud metadata services to retrieve IAM credentials.

The integrity impact is low, as attackers might trigger state changes on internal services, but availability is not directly affected.

The scope of the impact is changed, meaning the attack can affect systems beyond the CRM application itself, including internal network infrastructure.

Useful 0 Not Useful 0

Detection Guidance

This SSRF vulnerability can be detected by monitoring for unusual POST requests to the /settings/webhooks/create endpoint that include webhook URLs pointing to internal IP addresses such as 127.0.0.1, 10.0.0.1, or cloud metadata service IPs like 169.254.169.254.

Commands to detect exploitation attempts may include inspecting web server logs for POST requests with suspicious 'end_point' parameters targeting internal IP ranges.

• Use grep or similar tools to search logs for webhook creation attempts with internal IPs, e.g., `grep -i 'end_point.*10\.' /var/log/webserver/access.log`
• Monitor network traffic for outbound HTTP requests from the CRM server to internal IP addresses triggered by webhook events.
• Use tools like tcpdump or Wireshark to capture and analyze HTTP requests originating from the CRM server to internal or cloud metadata IPs.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and restrictions on the webhook 'end_point' parameter to prevent requests to internal IP ranges and cloud metadata endpoints.

• Apply a URL allowlist to restrict webhook URLs to approved external domains only.
• Reject webhook URLs that point to private IP ranges (10.x.x.x, 172.16.x.x–172.31.x.x, 192.168.x.x), loopback addresses (127.x.x.x), link-local addresses (169.254.x.x), or cloud metadata service IPs.
• Implement DNS rebinding protection by resolving webhook URLs at configuration time and blocking disallowed IPs.
• Route outbound webhook requests through an egress proxy that enforces IP blocklists.
• Disable SSRF-prone URL schemes such as file://, gopher://, dict://, etc.

Using webhook secrets can help validate legitimate webhook requests but does not prevent SSRF itself.

Useful 0 Not Useful 0

Compliance Impact

The SSRF vulnerability in Webkul Krayin CRM allows attackers to access internal network resources and potentially sensitive cloud metadata services, which can lead to unauthorized disclosure of confidential information.

Such unauthorized access and potential data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information from unauthorized access.

Because the vulnerability enables attackers to read internal service responses and possibly retrieve IAM credentials, it increases the risk of data breaches and unauthorized data processing, which are critical compliance concerns under these standards.

Useful 0 Not Useful 0