CVE-2026-7782
Authorization Bypass in Perfex CRM via Client ID Manipulation
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codecanyon | perfex_crm | to 3.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CodeCanyon Perfex CRM up to version 3.4.1, specifically in the Clients::project function within the application/controllers/Clients.php file of the Tenant Handler component.
The issue arises from manipulation of the argument ID, which leads to an authorization bypass, allowing an attacker to gain unauthorized access.
The attack can be performed remotely, and the exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass authorization controls, potentially gaining unauthorized access to client project information or other restricted data within the Perfex CRM system.
Since the exploit is public and the attack can be performed remotely, it increases the risk of unauthorized data exposure or manipulation.
The CVSS scores indicate a moderate severity, with impacts on confidentiality, integrity, and availability.