Executive Summary

CVE-2026-38529 is a Broken Object-Level Authorization (BOLA) vulnerability in Webkul Krayin CRM version 2.2.x. It exists in the user management endpoint where the system fails to verify that the authenticated user has permission to modify the target user account. Specifically, any non-admin user with the 'users.edit' permission can send a crafted request to reset the password or deactivate any other non-admin user account without ownership verification.

This flaw allows an attacker to arbitrarily change sensitive authentication fields like passwords or activation status by exploiting improper authorization checks in the UserController.php file. The attacker can then log in as the victim or lock out the victim's account.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full account takeover of any CRM user account by an authenticated low-privilege attacker. The attacker can reset passwords without knowing the victim's current password and gain unauthorized access.

Additionally, the attacker can lock out users by deactivating their accounts, causing denial of service. This leads to high confidentiality, integrity, and availability impacts, such as unauthorized data access and disruption of user accounts.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious PUT requests to the user management endpoint that attempt to change passwords or activation status of user accounts other than the requester's own.

Specifically, look for HTTP PUT requests to the path `/admin/settings/users/edit/{id}` where the authenticated user ID does not match the target user ID in the URL.

Commands to detect such activity could include using network traffic inspection tools or web server logs to filter for these requests.

• Using grep on web server logs to find suspicious PUT requests: `grep 'PUT /admin/settings/users/edit/' /var/log/nginx/access.log`
• Using curl or similar tools to test if unauthorized password changes are possible (for authorized testers only):
• curl -X PUT -H "Authorization: Bearer <token>" -d '{"password":"newpass"}' https://<target>/admin/settings/users/edit/<victim_id>

Additionally, audit logs should be checked for password changes or activation status changes performed by users who are not administrators or the account owners.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict object-level authorization checks to ensure that only the account owner or an administrator can modify sensitive fields such as passwords or activation status.

• Reject any requests where the authenticated user's ID does not match the target user ID unless the user has administrative privileges.
• Require the current password to be provided and verified before allowing password changes.
• Restrict the permissions granted by `users.edit` so that non-admin users cannot modify authentication-related fields.
• Enable audit logging for all password and activation status changes, recording the actor ID, target ID, and timestamps.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an authenticated attacker to perform a full account takeover by resetting user passwords without proper authorization checks. Such unauthorized access can lead to exposure and exfiltration of sensitive personal data, including leads, contacts, and activities stored in the CRM.

The impact on confidentiality, integrity, and availability is high, which can result in non-compliance with data protection regulations such as GDPR and HIPAA that require strict access controls and protection of personal data.

Failure to prevent unauthorized account takeovers and lack of proper authorization checks may lead to violations of these standards, potentially resulting in legal and financial penalties.

Useful 0 Not Useful 0