CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

Because of this missing management check, a remote authenticated attacker with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope.

For example, the attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. This vulnerability arises because the endpoint enforces management checks only for password changes but not for other critical fields.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, allowing a remote, authenticated attacker with USER_CONFIG permission to modify or disable any other user's account without proper authorization checks.

The vulnerability exists because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester manages the target user. This missing check allows an attacker to send a PATCH request with an arbitrary user ID and disable that user by setting the "enabled" field to false.

The expected behavior is that the API should enforce management hierarchy checks and reject unauthorized modification attempts with a 403 Forbidden response. However, this check is only implemented for password changes and not for other fields like "enabled".

This vulnerability can have severe impacts by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers outside their management scope.

By disabling critical user accounts, an attacker can effectively lock out legitimate users from the system, disrupting normal operations and potentially blocking access to the application.

Because the vulnerability allows modification of user accounts without proper authorization, it can lead to loss of control over user management and compromise the integrity and availability of the system.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission who are not managers of the target user.

To detect exploitation attempts, you can look for PATCH requests with JSON payloads like {"enabled": false} targeting user IDs outside the requester's management scope.

Suggested commands include using network traffic inspection tools or API logs to identify such requests. For example, using curl to simulate or detect suspicious requests:

• curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}'

Additionally, reviewing API access logs for PATCH requests to /api/v2/users/ with changes to the "enabled" field can help detect attempts to disable user accounts improperly.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that only users who must manage other users have USER_CONFIG permission, and audit existing users with this permission.

If possible, apply any available patches or updates from the vendor that fix the improper permission validation in the PATCH /api/v2/users/{user_id} endpoint.

As a temporary workaround, consider implementing network-level controls or API gateway rules to block PATCH requests that attempt to disable users unless properly authorized.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

A remote, authenticated attacker with USER_CONFIG permission can exploit this flaw to modify or disable any other user's account, including administrators and managers outside their management scope. This happens because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester actually manages the target user.

For example, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking that user out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including those of administrators and managers.

Such unauthorized modifications can disrupt normal user operations, block access to the application for critical users, and potentially cause denial of service within the system by locking out key personnel.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves authenticating as a user with USER_CONFIG permission and checking if they can modify other users outside their management scope. You can also inspect logs or network traffic for suspicious PATCH requests that include JSON bodies like {"enabled": false} targeting arbitrary user IDs.

Example commands to test or detect the vulnerability include:

• Authenticate as a USER_CONFIG user to obtain a Bearer token.
• Use a GET request to list users and obtain victim user IDs: curl -H "Authorization: Bearer <token>" https://<crafty-controller>/api/v2/users
• Send a PATCH request to disable a user account: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller>/api/v2/users/<victim_user_id>

If the PATCH request succeeds in disabling a user outside the requester's management scope, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that users with USER_CONFIG permission are aware of the risk and limit their access until a patch or fix is applied.

If possible, apply access control rules or firewall policies to restrict PATCH requests to the /api/v2/users/{user_id} endpoint.

Contact the vendor or check for updates to Crafty Controller that address this vulnerability by enforcing proper management checks on user modification requests.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This means an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including high-privilege accounts like administrators and managers.

As a result, attackers can lock out legitimate users from the system, disrupt normal user operations, and potentially block access to critical administrative functions.

This can lead to denial of service for users and administrators, impacting the availability and management of the application.

This vulnerability can be detected by monitoring for suspicious PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission.

To detect exploitation attempts, you can look for authenticated requests from non-superusers with USER_CONFIG permission that attempt to modify other users' accounts, especially disabling them.

Suggested commands include:

• Use network traffic inspection tools (e.g., tcpdump, Wireshark) to filter HTTP PATCH requests to /api/v2/users/* endpoints.
• Check server logs for PATCH requests with JSON bodies containing {"enabled": false} from users with USER_CONFIG permission.
• Example curl command to test the vulnerability (for authorized testing only):
• curl -X PATCH https://<crafty-controller-host>/api/v2/users/<victim_user_id> -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}'

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring for suspicious API usage.

Ensure that users with USER_CONFIG permission cannot modify accounts outside their management scope by implementing proper permission checks on the PATCH /api/v2/users/{user_id} endpoint.

If possible, apply any available patches or updates from the vendor that address this issue.

As a temporary workaround, monitor and block PATCH requests that attempt to disable other users' accounts unless they are within the requester's management hierarchy.

Immediate mitigation steps include restricting USER_CONFIG permissions to only trusted users and monitoring API usage closely.

Ensure that the API endpoint enforces proper permission checks, specifically verifying that the requesting user manages the target user before allowing modifications.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

• Audit and limit users with USER_CONFIG permission.
• Implement network monitoring and alerting for suspicious PATCH requests to /api/v2/users/*.
• Temporarily disable or restrict API access for users with USER_CONFIG permission until a fix is applied.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account without proper authorization checks.

The vulnerability exists because the API only verifies that the requester has USER_CONFIG permission but does not check if the requester actually manages the target user. This allows an attacker to send a PATCH request with an arbitrary user ID and change critical fields like "enabled" to false, effectively locking out other users, including administrators and managers.

The expected behavior is that the API should enforce a management check to ensure the requester manages the target user before allowing modifications. This check is missing for fields other than password changes, which leads to this security flaw.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account in the system, including administrators and managers outside their management scope.

By setting the "enabled" field of a user account to false, the attacker can lock out legitimate users from accessing the system, disrupting normal operations and potentially causing denial of service for critical users.

Because the vulnerability allows modification of user accounts without proper authorization, it can lead to unauthorized access control changes, loss of administrative control, and overall compromise of the user management system.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified.

An attacker with USER_CONFIG permission can send a PATCH request with an arbitrary user ID to disable other users. Detection involves checking for such PATCH requests that disable accounts outside the requester's management scope.

Suggested commands to detect exploitation attempts include capturing and analyzing API requests with tools like curl or network monitoring tools to identify suspicious PATCH requests.

• Use curl to simulate or detect suspicious requests: curl -X PATCH https://your-crafty-controller/api/v2/users/{user_id} -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}'
• Monitor logs or network traffic for PATCH requests to /api/v2/users/* with JSON bodies containing "enabled": false.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs because the PATCH /api/v2/users/{user_id} endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user. This allows a remote, authenticated attacker with USER_CONFIG permission to modify or disable any other user's account, including administrators and managers outside their management scope.

Specifically, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should enforce management checks and reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields like "enabled".

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their role or permissions.

As a result, critical user accounts can be locked out, disrupting normal user flow and potentially blocking access to the application for legitimate users. This can lead to denial of service for administrators and other key personnel, affecting the overall availability and management of the system.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission who are not managers of the target user.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies containing {"enabled": false} targeting user IDs outside the requester's management scope.

Example commands to detect such activity include:

• Using network traffic inspection tools (e.g., tcpdump or Wireshark) to filter HTTP PATCH requests to /api/v2/users/
• Using grep or similar tools on server logs to find PATCH requests with payloads containing "enabled": false
• Example log search command: grep -i 'PATCH /api/v2/users/' /var/log/crafty-controller/access.log | grep '"enabled": false'
• Review authentication tokens or user permissions associated with these requests to verify if the requester has USER_CONFIG permission but is modifying users outside their management scope.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This allows an attacker to send a PATCH request with an arbitrary user ID and set the "enabled" field to false, effectively locking out other users from the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response.

This vulnerability can have a significant impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including administrators and managers, regardless of their role or permissions.

As a result, attackers can lock out legitimate users from the system, disrupt normal user flow, and block application usage, potentially causing denial of service for critical users.

This vulnerability can be detected by monitoring for suspicious PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission.

To detect exploitation attempts, you can look for PATCH requests that disable user accounts, especially those targeting users outside the requester's management scope.

• Authenticate as a user with USER_CONFIG permission to obtain a Bearer token.
• Use a command to retrieve user IDs, for example: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users
• Check logs or capture network traffic for PATCH requests like: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/{victim_user_id}

Immediate mitigation steps include restricting USER_CONFIG permissions to only trusted users and monitoring for unauthorized PATCH requests that disable user accounts.

Ensure that the API endpoint enforces proper management checks so that users can only modify accounts they manage.

If possible, apply any available patches or updates from the vendor that address this permission validation flaw.

As a temporary workaround, audit and limit access to the PATCH /api/v2/users/{user_id} endpoint and consider disabling or restricting the USER_CONFIG permission until a fix is applied.

Immediate mitigation steps include restricting USER_CONFIG permission to only fully trusted users, as this permission currently allows modification of any user account.

Additionally, monitor and audit API usage for suspicious PATCH requests to /api/v2/users/{user_id} that attempt to disable accounts.

If possible, apply any available patches or updates from the vendor that enforce proper management checks on the PATCH endpoint to ensure users can only modify accounts they manage.

As a temporary workaround, consider implementing network-level controls or API gateways to block unauthorized PATCH requests targeting user account modifications.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope. This happens because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester actually manages the target user.

For example, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including high-privilege accounts such as administrators and managers.

As a result, attackers can lock out legitimate users from the system, disrupt normal user workflows, and potentially block access to critical administrative functions.

This can lead to denial of service for users and administrators, impacting the availability and integrity of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves checking logs or capturing network traffic for suspicious API calls where a user modifies another user's "enabled" status.

• Authenticate as a user with USER_CONFIG permission to obtain a Bearer token.
• Use a GET request to /api/v2/users to retrieve user IDs.
• Look for PATCH requests to /api/v2/users/{user_id} with JSON body {"enabled": false} coming from non-superusers.
• Example command to test the vulnerability (for detection purposes only):

curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H "Authorization: Bearer {token}" -H "Content-Type: application/json" -d '{"enabled": false}'

Immediate mitigation steps include restricting USER_CONFIG permissions only to trusted users and monitoring API usage closely.

Ensure that users with USER_CONFIG permission are aware of the risk and audit their actions regularly.

If possible, apply any available patches or updates from the vendor that address the missing management check on the PATCH /api/v2/users/{user_id} endpoint.

As a temporary workaround, consider implementing additional access controls or API gateway rules to block PATCH requests that modify the "enabled" field unless the requester manages the target user.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account without proper permission checks.

The vulnerability exists because the API only verifies that the requester has USER_CONFIG permission but does not check if the requester actually manages the target user. This allows the attacker to send a PATCH request with an arbitrary user ID and, for example, set the "enabled" field to false, effectively disabling that user’s account.

The expected behavior is that the API should enforce management checks to ensure that only managers of a user can modify that user's details, rejecting unauthorized requests with a 403 Forbidden response. This check is implemented for password changes but missing for other fields, including the critical "enabled" field.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers outside their management scope.

By disabling accounts, the attacker can lock out legitimate users from the system, disrupting normal user flow and potentially blocking access to critical application functions.

Because the vulnerability allows modification of user accounts without proper authorization checks, it can lead to unauthorized privilege changes and denial of service for key users.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A detection approach involves authenticating as a USER_CONFIG user, obtaining a Bearer token, and then checking if PATCH requests are sent to modify users outside the requester's management scope.

Example commands to test or detect the vulnerability include:

• Authenticate as a USER_CONFIG user and obtain a Bearer token.
• Use a GET request to retrieve user IDs: curl -H "Authorization: Bearer <token>" https://<crafty-controller>/api/v2/users
• Send a PATCH request to disable a user outside your management scope: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller>/api/v2/users/{victim_user_id}

If such a request succeeds in disabling a user account without proper authorization checks, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permissions only to trusted users and monitoring API usage for suspicious PATCH requests to /api/v2/users/{user_id}.

Additionally, implement access controls or firewall rules to limit API access to trusted networks or users.

If possible, apply any available patches or updates from the vendor that enforce proper management checks on the PATCH /api/v2/users/{user_id} endpoint.

As a temporary workaround, audit and review user permissions regularly to ensure no unauthorized modifications occur.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account without proper authorization checks.

The vulnerability occurs because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester actually manages the target user. This allows an attacker to send a PATCH request with an arbitrary user ID and change critical fields like "enabled" to false, effectively locking out other users, including administrators and managers.

The expected behavior is that the API should enforce a management check to ensure the requester can only modify users they manage, rejecting unauthorized requests with a 403 Forbidden response. This check is currently missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account in the system, including administrators and managers outside their management scope.

By setting the "enabled" field to false on targeted accounts, the attacker can effectively lock out legitimate users from accessing the application, disrupting normal user operations and potentially causing denial of service for critical users.

Because the vulnerability allows modification of user accounts without proper authorization, it can lead to significant operational disruption and compromise of administrative control.

This vulnerability can be detected by monitoring API requests to the PATCH /api/v2/users/{user_id} endpoint, especially those made by users with USER_CONFIG permission. Suspicious activity includes PATCH requests that modify the "enabled" field of user accounts, particularly setting it to false.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies containing {"enabled": false} targeting user IDs outside the requester's management scope.

Example commands to detect such activity might include:

• Using network traffic capture tools like tcpdump or Wireshark to filter PATCH requests to /api/v2/users endpoints.
• Using grep or similar tools on server logs to find PATCH requests with "enabled": false in the request body.
• Example grep command: grep -i 'PATCH /api/v2/users' /var/log/crafty-controller/access.log | grep '"enabled": false'

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users, as this permission allows modification of other user accounts.

Monitor and audit API usage for suspicious PATCH requests to /api/v2/users/{user_id} that attempt to disable user accounts.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

As a temporary workaround, consider implementing additional access controls or API gateway rules to enforce management hierarchy checks before allowing user modifications.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

Because of this missing management check, a remote authenticated attacker with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, by sending a specially crafted PATCH request.

For example, the attacker can set the "enabled" field of another user's account to false, effectively locking that user out of the system. This vulnerability arises from improper API permissions validation.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including high-privilege accounts such as administrators and managers.

Such unauthorized modifications can disrupt normal user operations, block legitimate users from accessing the system, and potentially cause denial of service by locking out critical accounts.

Because the attacker can target users outside their management scope, this flaw can lead to significant security and operational risks within the affected environment.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves authenticating as a USER_CONFIG user, then using the following commands to test for the vulnerability:

• 1. Obtain a Bearer token by authenticating as a non-superuser with USER_CONFIG permission.
• 2. Retrieve user IDs with: GET /api/v2/users
• 3. Attempt to disable a user account by sending a PATCH request: PATCH /api/v2/users/{victim_user_id} with JSON body {"enabled": false}

If the PATCH request succeeds in disabling a user outside the requester's management scope, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage for suspicious PATCH requests to /api/v2/users/{user_id}.

Additionally, ensure that the application enforces proper management hierarchy checks on all user modification actions, especially for the "enabled" field, to prevent users from modifying accounts they do not manage.

If possible, apply any available patches or updates from the vendor that address this permission validation flaw.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This allows an attacker to send a PATCH request with an arbitrary user ID and set the "enabled" field to false, effectively locking out other users from the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response.

This vulnerability can have a significant impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including administrators and managers.

By setting the "enabled" field to false on other users' accounts, an attacker can lock them out of the system, disrupting normal user operations and potentially blocking access to critical administrative functions.

This can lead to denial of service for legitimate users and may cause operational disruptions within the affected organization.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A possible detection method involves capturing and analyzing API traffic to identify if a non-superuser with USER_CONFIG permission is sending PATCH requests to disable other users by setting {"enabled": false}.

Example commands to detect such activity could include using curl to simulate or check for suspicious requests, or using network monitoring tools to filter for PATCH requests to /api/v2/users endpoints.

• Authenticate as a user with USER_CONFIG permission to obtain a Bearer token.
• Use a GET request to list users and their IDs: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users
• Check for PATCH requests that modify the "enabled" field to false: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/<target_user_id>

Monitoring logs or network traffic for such PATCH requests from users with USER_CONFIG permission can help detect exploitation attempts.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that users with USER_CONFIG permission are aware of the risk and audit their actions regularly.

If possible, apply any available patches or updates from the Crafty Controller project that address this vulnerability.

As a temporary workaround, consider implementing network-level controls or API gateway rules to block PATCH requests that attempt to modify the "enabled" field for users outside the requester's management scope.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated user with USER_CONFIG permission can modify or disable any other user's account without proper authorization checks.

The vulnerability arises because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester manages the target user. This allows an attacker to send a PATCH request with an arbitrary user ID and change critical fields like "enabled" to false, effectively locking out other users, including administrators and managers outside their management scope.

The expected behavior is that the API should enforce a management check to ensure the requester can only modify users they manage, rejecting unauthorized requests with a 403 Forbidden response. This check is currently missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account in the system, including administrators and managers outside their management scope.

By setting the "enabled" field of a user account to false, the attacker can effectively lock out legitimate users from accessing the system, disrupting normal operations and potentially causing denial of service for critical users.

Because the vulnerability allows modification of user accounts without proper authorization, it can lead to unauthorized access control changes and compromise the integrity and availability of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves checking logs or capturing network traffic for suspicious API calls where a user modifies another user's "enabled" status without proper management rights.

Example commands to detect such activity could include:

• Using grep on server logs to find PATCH requests modifying user accounts: grep -i 'PATCH /api/v2/users/' /var/log/crafty-controller/access.log | grep '"enabled": false'
• Using curl to test the vulnerability (for authorized users only):
• 1. Authenticate as a USER_CONFIG user to get a Bearer token.
• 2. Retrieve user IDs with: curl -H "Authorization: Bearer <token>" https://<crafty-controller>/api/v2/users
• 3. Attempt to disable a user with: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller>/api/v2/users/{victim_user_id}

If the PATCH request succeeds in disabling a user outside the requester's management scope, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that only users who truly need to modify user accounts have USER_CONFIG permission, as this permission currently allows modification of any user due to missing management checks.

Additionally, implement network-level controls such as firewall rules or API gateways to limit access to the PATCH /api/v2/users/{user_id} endpoint.

If possible, apply any available patches or updates from the vendor that address this issue.

As a temporary workaround, monitor and alert on PATCH requests that modify the "enabled" field for users outside the requester's management scope.

The vulnerability allows an authenticated user with USER_CONFIG permission to disable or modify other users' accounts, including administrators, without proper authorization checks. This can lead to unauthorized access control changes and potential denial of service for legitimate users.

Such unauthorized modifications and potential disruption of user accounts could impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls, user data protection, and accountability for user management actions.

Specifically, the failure to enforce proper permission validation may violate principles of least privilege and proper user authorization, increasing the risk of data breaches or service interruptions that these regulations aim to prevent.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This allows an attacker to send a PATCH request with an arbitrary user ID and set the "enabled" field to false, effectively locking out other users from the system. The expected behavior is that the system should enforce management checks and reject unauthorized modifications with a 403 Forbidden response.

This vulnerability can have a severe impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including administrators and managers, regardless of their role or permissions.

As a result, attackers can lock out legitimate users from the system, disrupt normal user workflows, and block access to the application, potentially causing significant operational disruption.

This vulnerability can be detected by monitoring for suspicious PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission.

To detect exploitation attempts, you can look for PATCH requests that disable user accounts outside the requester's management scope.

• Authenticate as a user with USER_CONFIG permission to obtain a Bearer token.
• Use a command to retrieve user IDs, for example: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users
• Check for PATCH requests like: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/{victim_user_id}

Network monitoring tools or logs should be reviewed for such PATCH requests that disable accounts, especially if the requester is not the manager of the target user.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage for unauthorized PATCH requests that disable user accounts.

Ensure that users with USER_CONFIG permission are aware of the risk and audit their actions regularly.

If possible, apply any available patches or updates from the Crafty Controller project that enforce proper management checks on the PATCH /api/v2/users/{user_id} endpoint.

As a temporary workaround, consider implementing additional access controls or API gateway rules to block PATCH requests that attempt to disable users unless the requester manages the target user.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This allows an attacker to send a PATCH request to disable other users by setting their "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including administrators and managers, regardless of their role or permissions.

As a result, attackers can lock out legitimate users from the system, disrupt normal user operations, and potentially block access to critical administrative functions.

This can lead to denial of service for important users and compromise the availability and integrity of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission who are not managers of the target user.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies containing {"enabled": false} targeting user IDs outside the requester's management scope.

Suggested commands to detect this activity include:

• Using curl to simulate or check logs for suspicious PATCH requests: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/<target_user_id>
• Checking web server or application logs for PATCH requests to /api/v2/users/ with payloads disabling users.
• Using API audit logs or network monitoring tools to filter for PATCH requests with "enabled": false in the request body from users with USER_CONFIG permission.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring for suspicious PATCH requests that disable user accounts.

Additionally, ensure that the API endpoint enforces proper management checks so that users can only modify accounts they manage.

If possible, apply any available patches or updates from the Crafty Controller project that address this vulnerability.

As a temporary workaround, consider disabling or limiting access to the PATCH /api/v2/users/{user_id} endpoint for users with USER_CONFIG permission until a fix is applied.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller. It affects the PATCH /api/v2/users/{user_id} endpoint in version 4.10.2. The vulnerability allows a remote, authenticated user with USER_CONFIG permission to modify or disable any other user's account, including administrators and managers outside their management scope.

The root cause is that the API only checks if the requester has USER_CONFIG permission but does not verify whether the requester actually manages the target user. This missing check allows the attacker to send a PATCH request with an arbitrary user ID and set the "enabled" field to false, effectively locking out the target user from the system.

The expected behavior is that the API should enforce a management check and reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response. This check is implemented for password changes but missing for other fields like "enabled".

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their role or permissions.

By setting the "enabled" field to false on targeted accounts, the attacker can lock out legitimate users from accessing the system, disrupting normal user flow and potentially blocking critical administrative functions.

Because the vulnerability affects user management controls, it can lead to denial of service for important users and compromise the integrity of user access controls within the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission who are not managers of the target user.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies containing {"enabled": false} targeting user IDs outside the requester's management scope.

Suggested commands include using network traffic inspection tools or API logs to filter such requests. For example, using curl to simulate or detect suspicious requests:

• curl -H "Authorization: Bearer <token>" -X PATCH https://<crafty-controller-host>/api/v2/users/<victim_user_id> -d '{"enabled": false}'

Additionally, reviewing API access logs for PATCH requests to /api/v2/users/ with changes to the "enabled" field can help identify potential abuse.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that the application is updated to a version where the PATCH /api/v2/users/{user_id} endpoint enforces management hierarchy checks before allowing modifications to user accounts.

As a temporary workaround, audit and limit the ability of users with USER_CONFIG permission to perform PATCH requests that modify the "enabled" field on other users.

Also, consider implementing network-level controls or API gateways to detect and block suspicious PATCH requests that attempt to disable user accounts.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller. It occurs because the PATCH /api/v2/users/{user_id} endpoint only checks if the requester has USER_CONFIG permission but does not verify whether the requester manages the target user. This allows a remote, authenticated attacker with USER_CONFIG permission to modify or disable any other user's account, including administrators and managers outside their management scope.

Specifically, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including those of administrators and managers who are not under their control. This can disrupt normal user operations and block access to the application by locking out critical users.

Such unauthorized modifications can lead to denial of service for legitimate users, potential loss of administrative control, and overall disruption of the system's user management and security.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A practical detection method involves checking logs or capturing network traffic for suspicious API calls where a user with USER_CONFIG permission sends a PATCH request to disable other users by setting {"enabled": false}.

Example commands to detect such activity might include:

• Using grep on server logs to find PATCH requests modifying user accounts: grep 'PATCH /api/v2/users/' /var/log/crafty-controller/access.log | grep '"enabled": false'
• Using curl to simulate the exploit for testing detection: curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H 'Authorization: Bearer <token_with_USER_CONFIG>' -H 'Content-Type: application/json' -d '{"enabled": false}'

Immediate mitigation steps include restricting USER_CONFIG permissions only to trusted users and monitoring API usage closely.

Additionally, ensure that the PATCH /api/v2/users/{user_id} endpoint enforces proper management checks so that users can only modify accounts they manage. Until a patch is applied, avoid granting USER_CONFIG permission broadly.

If possible, disable or restrict access to the vulnerable API endpoint or implement network-level controls to limit access.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a remote authenticated user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope. This happens because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

As a result, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including high-privilege accounts like administrators and managers.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and causing denial of service to legitimate users.

Because the attacker can disable accounts outside their management scope, this can lead to significant operational disruption and loss of control over user access.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission who are not managers of the target user.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies like {"enabled": false} targeting user IDs outside the requester's management scope.

Suggested commands include using network traffic inspection tools or API logs to filter such requests. For example, using curl to simulate or detect suspicious requests:

• curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}'

Additionally, reviewing API access logs for PATCH requests to /api/v2/users/ with changes to the "enabled" field can help identify potential exploitation.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring or blocking PATCH requests that attempt to modify the "enabled" field of users outside the requester's management scope.

You should also implement or verify that the API enforces management hierarchy checks on all user modification actions, not just password changes.

If possible, temporarily disable or limit access to the PATCH /api/v2/users/{user_id} endpoint for users with USER_CONFIG permission until a patch or fix is applied.

Finally, update Crafty Controller to a version where this vulnerability is fixed once available.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and reviewing current users who have this permission.

Additionally, monitor and audit API usage to detect and block unauthorized PATCH requests that attempt to disable user accounts.

If possible, apply any available patches or updates from the Crafty Controller project that address this vulnerability.

As a temporary workaround, consider implementing network-level controls or API gateway rules to block PATCH requests that modify the "enabled" field unless the requester is verified as the manager of the target user.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

A remote, authenticated user with USER_CONFIG permission can exploit this flaw to modify or disable any other user's account, including administrators and managers outside their management scope. This happens because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester actually manages the target user.

For example, an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking that user out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields like "enabled".

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their role or permissions.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and blocking application usage.

Because the vulnerability allows disabling accounts without proper authorization checks, it can lead to denial of service for legitimate users and compromise the integrity of user management within the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves authenticating as a user with USER_CONFIG permission, then using API calls to check if it is possible to modify other users' "enabled" status without proper authorization.

• Authenticate and obtain a Bearer token as a USER_CONFIG user.
• Use the command: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users to retrieve user IDs.
• Attempt to disable another user by sending a PATCH request: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/{victim_user_id}

If the request succeeds and disables the target user, the vulnerability is present. Proper behavior would reject such requests with a 403 Forbidden response if the requester does not manage the target user.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage for suspicious PATCH requests to user accounts.

Additionally, review and enforce proper permission checks on the PATCH /api/v2/users/{user_id} endpoint to ensure that users can only modify accounts they manage.

If possible, apply any available patches or updates from the vendor that address this issue.

As a temporary workaround, consider disabling or limiting access to the vulnerable API endpoint until a fix is applied.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

Because of this missing management check, a remote authenticated attacker with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope.

For example, the attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking that user out of the system.

The expected behavior is that the API should reject modification requests for users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their role or permissions.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and causing denial of service to legitimate users.

Because the attacker can disable accounts, this can block application usage and interfere with administrative control, leading to operational and security risks.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission.

To detect exploitation attempts, you can look for PATCH requests with JSON bodies containing {"enabled": false} targeting user IDs outside the requester's management scope.

Suggested commands include using network traffic inspection tools or API logs to identify such requests. For example, using curl to simulate detection:

• Authenticate as a USER_CONFIG user to obtain a Bearer token.
• Use GET /api/v2/users to list user IDs.
• Check logs or capture traffic for PATCH requests to /api/v2/users/{user_id} with payload {"enabled": false}.

Example curl command to test the vulnerability (for detection purposes):

• curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H "Authorization: Bearer {token}" -H "Content-Type: application/json" -d '{"enabled": false}'

Immediate mitigation steps include restricting USER_CONFIG permissions to trusted users only, as this permission allows modification of other users.

Monitor and audit API usage for suspicious PATCH requests to /api/v2/users/{user_id} that attempt to disable user accounts.

If possible, apply any available patches or updates from the Crafty Controller project that address this vulnerability.

As a temporary workaround, consider implementing additional access controls or API gateway rules to enforce management hierarchy checks before allowing user modifications.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This means an attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a severe impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including high-privilege accounts like administrators and managers.

As a result, attackers can lock out legitimate users from the system, disrupt normal user operations, and potentially block access to critical administrative functions.

This can lead to denial of service for important users and compromise the availability and integrity of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A detection approach involves checking logs or capturing API traffic for suspicious PATCH requests that include JSON bodies like {"enabled": false} targeting user IDs outside the requester's management scope.

Example commands to detect such activity could include:

• Using curl to simulate the exploit (for testing detection):
• curl -X PATCH https://<crafty-controller-host>/api/v2/users/<victim_user_id> -H "Authorization: Bearer <token_with_USER_CONFIG>" -H "Content-Type: application/json" -d '{"enabled": false}'
• Using grep or similar tools on server logs to find PATCH requests modifying the "enabled" field:
• grep -i 'PATCH /api/v2/users/' /var/log/crafty-controller/access.log | grep '"enabled": false'

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account without proper permission checks.

The vulnerability arises because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester manages the target user. This allows an attacker to send a PATCH request with an arbitrary user ID and disable that user by setting the "enabled" field to false, effectively locking them out of the system.

The expected behavior is that the API should enforce a management check to ensure the requester manages the target user before allowing modifications. This check is currently missing for fields like "enabled", although it exists for password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers outside their management scope.

By disabling critical user accounts, the attacker can lock legitimate users out of the system, disrupt normal user flow, and block application usage.

This can lead to denial of service for important users and potentially compromise the security and availability of the application.

This vulnerability can be detected by monitoring for suspicious PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being set to false by users with USER_CONFIG permission.

To detect exploitation attempts, you can look for PATCH requests that disable user accounts outside the requester's management scope.

• Authenticate as a user with USER_CONFIG permission and obtain a Bearer token.
• Use a command like: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users to list user IDs.
• Check logs or capture network traffic for PATCH requests similar to: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/{victim_user_id}

A 403 Forbidden response should be expected if the management check is properly enforced; absence of this may indicate vulnerability exploitation.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage for unauthorized PATCH requests to user accounts.

Ensure that the API endpoint /api/v2/users/{user_id} enforces management hierarchy checks before allowing modifications to user accounts, especially for the "enabled" field.

If possible, apply any available patches or updates from the vendor that address this permission validation flaw.

As a temporary workaround, consider disabling or limiting access to the PATCH /api/v2/users/{user_id} endpoint for users with USER_CONFIG permission until a fix is applied.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs in the PATCH /api/v2/users/{user_id} endpoint, where the system improperly validates API permissions.

Specifically, a user with USER_CONFIG permission can modify or disable any other user's account, including administrators and managers outside their management scope, because the endpoint only checks if the requester has USER_CONFIG permission but does not verify if the requester manages the target user.

This allows an attacker to send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system.

The expected behavior is that the API should enforce management checks and reject requests targeting users outside the requester's management hierarchy with a 403 Forbidden response, but this check is missing for fields other than password changes.

This vulnerability can have a significant impact by allowing an authenticated user with USER_CONFIG permission to disable or modify any other user's account, including high-privilege accounts such as administrators and managers.

As a result, attackers can lock out legitimate users from the system, disrupt normal user operations, and potentially block access to critical administrative functions.

This can lead to denial of service for users and may cause operational disruptions within the affected application.

This vulnerability can be detected by monitoring for suspicious PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is set to false by a user with USER_CONFIG permission.

To detect exploitation attempts, you can look for PATCH requests that disable user accounts outside the requester's management scope.

Suggested commands include:

• Use network traffic capture tools (e.g., tcpdump or Wireshark) to filter HTTP PATCH requests to /api/v2/users/*.
• Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i PATCH
• Check application logs for PATCH requests with JSON bodies containing {"enabled": false}.
• Use API request logging or auditing to identify users with USER_CONFIG permission making such requests.

Immediate mitigation steps include restricting USER_CONFIG permission to trusted users only, as this permission allows modification of other users.

Monitor and audit API usage to detect and respond to unauthorized PATCH requests that disable user accounts.

If possible, apply patches or updates from the vendor that enforce proper management checks on the PATCH /api/v2/users/{user_id} endpoint.

As a temporary workaround, consider disabling or limiting access to the vulnerable API endpoint until a fix is applied.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It allows a remote, authenticated user with USER_CONFIG permission to modify or disable any other user's account, including administrators and managers outside their management scope.

The vulnerability exists because the API endpoint PATCH /api/v2/users/{user_id} only checks if the requester has USER_CONFIG permission but does not verify whether the requester actually manages the target user. This missing check allows unauthorized modifications.

An attacker can send a PATCH request to disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The expected behavior is that the system should reject such requests with a 403 Forbidden response if the target user is outside the requester's management hierarchy.

This vulnerability can have a significant impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including those of administrators and managers.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and causing denial of service for legitimate users.

Because the attacker can disable accounts regardless of role or permissions, this can lead to loss of control over user management and compromise the integrity and availability of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A detection approach involves authenticating as a USER_CONFIG user and checking if PATCH requests are accepted for user IDs outside the requester's management scope, which should normally be rejected.

• Use a GET request to list users and their IDs: curl -H "Authorization: Bearer <token>" https://<crafty-controller>/api/v2/users
• Attempt a PATCH request to disable a user outside your management scope: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller>/api/v2/users/<victim_user_id>

If the PATCH request succeeds in disabling the user without a 403 Forbidden response, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permissions only to trusted users and monitoring API usage for suspicious PATCH requests to user accounts.

Additionally, implement or enforce proper permission checks on the PATCH /api/v2/users/{user_id} endpoint to ensure that users can only modify accounts they manage. Requests targeting users outside the management hierarchy should be rejected with a 403 Forbidden response.

If possible, update Crafty Controller to a version where this vulnerability is fixed or apply any available patches from the vendor.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, allowing a remote, authenticated attacker with USER_CONFIG permission to modify or disable any other user's account without proper authorization checks.

The vulnerability occurs because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester manages the target user. This missing check allows an attacker to send a PATCH request with an arbitrary user ID and change critical fields like "enabled" to false, effectively locking out other users, including administrators and managers.

The expected behavior is that the API should enforce a management hierarchy check and reject requests targeting users outside the requester's scope with a 403 Forbidden response. However, this check is only implemented for password changes and not for other fields.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their management scope.

By setting the "enabled" field to false on targeted accounts, the attacker can effectively lock out legitimate users from the system, disrupting normal operations and potentially causing denial of service for critical users.

Because the vulnerability allows modification of user accounts without proper authorization, it can lead to loss of control over user management and compromise the integrity and availability of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A detection approach involves checking logs or capturing network traffic for suspicious API calls where a user modifies another user's "enabled" status without proper management rights.

Example commands to detect such activity include:

• Using curl to simulate the exploit (for testing detection):
• curl -X PATCH https://your-crafty-controller/api/v2/users/{victim_user_id} -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}'
• Using grep or similar tools to search logs for PATCH requests modifying the "enabled" field:
• grep -i 'PATCH /api/v2/users/' /path/to/access.log | grep '"enabled": false'

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage closely.

Ensure that the application is updated to a version where the API properly enforces management checks on user modification requests, especially for the "enabled" field.

As a temporary workaround, consider disabling or limiting access to the PATCH /api/v2/users/{user_id} endpoint for users who do not require it.

Additionally, review and audit user permissions regularly to prevent unauthorized privilege escalation.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It occurs because the PATCH /api/v2/users/{user_id} endpoint only checks if the requester has USER_CONFIG permission but does not verify whether the requester actually manages the target user.

This flaw allows a remote, authenticated attacker with USER_CONFIG permission to modify or disable any other user's account, including administrators and managers outside their management scope, by sending a specially crafted PATCH request.

For example, an attacker can disable another user's account by setting the "enabled" field to false, effectively locking them out of the system. The vulnerability arises because the API fails to enforce management hierarchy checks for fields other than password changes.

This vulnerability can have severe impacts by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including high-privilege accounts such as administrators and managers.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and causing denial of service to legitimate users.

Because the attacker can disable accounts outside their management scope, this can lead to significant operational disruption and loss of control over user access.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other user accounts.

A possible detection method involves capturing and analyzing API traffic to identify if a non-superuser with USER_CONFIG permission is sending PATCH requests to disable other users.

Example commands to detect such activity include:

• Use network traffic capture tools like tcpdump or Wireshark to filter HTTP PATCH requests to /api/v2/users endpoints.
• Example tcpdump command: tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'PATCH /api/v2/users/'
• Analyze logs or API gateway logs for PATCH requests with JSON bodies containing {"enabled": false} made by users with USER_CONFIG permission.
• Use API audit logs to identify if any user modification requests bypass management scope checks.

Immediate mitigation steps include restricting USER_CONFIG permission to trusted users only, as this permission allows modification of other user accounts.

Additionally, monitor and audit all PATCH requests to the /api/v2/users/{user_id} endpoint to detect and block unauthorized user modifications.

If possible, apply access control rules or firewall policies to limit API access to only authorized management users.

Consider temporarily disabling or limiting the PATCH /api/v2/users/{user_id} endpoint until a patch or fix is applied.

Finally, update Crafty Controller to a version where this vulnerability is fixed once available.

CVE-2026-5652 is an Insecure Direct Object Reference (IDOR) vulnerability in the Users API component of Crafty Controller version 4.10.2. It affects the PATCH /api/v2/users/{user_id} endpoint, where a remote, authenticated attacker with USER_CONFIG permission can modify or disable any other user's account without proper permission checks.

The vulnerability occurs because the API only verifies that the requester has USER_CONFIG permission but does not check whether the requester manages the target user. This allows an attacker to send a PATCH request with an arbitrary user ID and disable that user by setting the "enabled" field to false.

The expected behavior is that the API should enforce a management check to ensure the requester can only modify users they manage, rejecting unauthorized requests with a 403 Forbidden response. This check is missing for fields like "enabled", although it exists for password changes.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers outside their management scope.

By disabling critical user accounts, an attacker can lock out legitimate users from the system, disrupt normal user flow, and block application usage. This can lead to denial of service for important users and potentially compromise the management and security of the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves authenticating as a USER_CONFIG user, then using the following commands to test the vulnerability:

• 1. Obtain a Bearer token by authenticating as a USER_CONFIG user.
• 2. Retrieve user IDs with: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users
• 3. Attempt to disable a user account by sending a PATCH request: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/<victim_user_id>

If the PATCH request succeeds in disabling a user account outside the requester's management scope, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permission to only trusted users and monitoring API usage for suspicious PATCH requests to /api/v2/users/{user_id}.

Additionally, ensure that any user modification requests are properly validated to confirm the requester manages the target user before allowing changes.

If possible, temporarily disable or limit access to the PATCH /api/v2/users/{user_id} endpoint until a patch or fix is applied.

Apply any available security updates or patches from the vendor that address this improper permissions validation.

This vulnerability can have a severe impact by allowing an attacker with USER_CONFIG permission to disable or modify any user account, including administrators and managers, regardless of their management scope.

Such unauthorized modifications can disrupt normal user operations, potentially locking out critical users from the system and causing denial of service for legitimate users.

Because the attacker can disable accounts arbitrarily, this can lead to significant operational disruption and loss of control over user management within the application.

This vulnerability can be detected by monitoring for unauthorized PATCH requests to the /api/v2/users/{user_id} endpoint where the "enabled" field is being modified. Specifically, look for PATCH requests made by users with USER_CONFIG permission that attempt to disable other users' accounts.

A detection approach involves authenticating as a user with USER_CONFIG permission, then using the following commands to test if the vulnerability exists:

• Obtain a Bearer token by authenticating as a USER_CONFIG user.
• Retrieve user IDs with: curl -H "Authorization: Bearer <token>" https://<crafty-controller-host>/api/v2/users
• Attempt to disable a user account by sending a PATCH request: curl -X PATCH -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"enabled": false}' https://<crafty-controller-host>/api/v2/users/{victim_user_id}

If the PATCH request succeeds in disabling a user outside the requester's management scope, the vulnerability is present.

Immediate mitigation steps include restricting USER_CONFIG permission to only fully trusted users, as this permission currently allows modification of any user account due to improper permission validation.

Additionally, monitor and audit API usage for suspicious PATCH requests to /api/v2/users/{user_id} that attempt to disable or modify accounts outside the expected management scope.

Applying any available patches or updates from the Crafty Controller project that enforce proper management checks on user modification endpoints is critical.