CVE-2026-10282
Improper Authorization in Bottelet DaybydayCRM
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bottelet | daybydaycrm | to 2.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-10282 is an authorization vulnerability in DaybydayCRM that allows authenticated users to access or modify documents and assignments across organizational boundaries without proper authorization checks.
Such improper authorization can lead to unauthorized access to sensitive personal or organizational data, which may violate data protection principles required by regulations like GDPR or HIPAA.
Specifically, unauthorized document access could result in exposure of personal data, potentially breaching confidentiality and data minimization requirements.
Therefore, until patched, this vulnerability could negatively impact compliance with standards that mandate strict access controls and data protection measures.
Applying the recommended patch that enforces ownership validation and permission checks is a best practice to restore compliance and secure sensitive data.
Can you explain this vulnerability to me?
CVE-2026-10282 is a security vulnerability in the DaybydayCRM system affecting the DocumentsController.php file, specifically the view and download functions. It is an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to access documents belonging to other users without proper authorization checks.
The vulnerability arises because the affected methods do not verify document ownership or permissions, enabling users to view or download documents by manipulating parameters such as external_id.
Additionally, similar authorization flaws exist in the updateAssign() methods of the TasksController, ProjectsController, and LeadsController, where permission checks are missing, allowing unauthorized modifications of assignments.
The fix involves adding ownership validation and permission checks to ensure users can only access or modify documents and assignments they own or are authorized to handle.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive documents within the DaybydayCRM system, allowing authenticated users to view or download documents they should not have access to.
It also permits unauthorized modification of task, project, and lead assignments across organizational boundaries, potentially disrupting workflows and compromising data integrity.
Such unauthorized access and modifications can result in data leakage, privacy violations, and operational disruptions.
Applying the recommended patch and authorization checks is essential to prevent these impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper authorization in the DocumentsController.php of DaybydayCRM, allowing authenticated users to access or modify documents and assignments without proper ownership checks.
Detection can focus on identifying unauthorized access attempts to document view or download endpoints, especially by monitoring requests manipulating the external_id parameter.
Since the vulnerability requires authentication, reviewing application logs for unusual access patterns or permission escalations related to document viewing or assignment updates is recommended.
Specific commands depend on your environment, but you can use web server or application logs to search for suspicious requests. For example, using grep on logs to find access to the DocumentsController view or download methods with unusual external_id values:
- grep 'DocumentsController' /var/log/nginx/access.log | grep 'view'
- grep 'DocumentsController' /var/log/nginx/access.log | grep 'download'
Additionally, monitoring API or web requests for unauthorized assignment updates in TasksController, ProjectsController, and LeadsController can help detect exploitation attempts.
Implementing or reviewing existing security tests, such as those added in the patch, can also help detect if the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to apply the official patch or update to DaybydayCRM that fixes the authorization flaws in the DocumentsController and related controllers.
The patch introduces ownership validation in document view and download methods, ensuring users can only access documents they own or are assigned to, and adds permission checks to assignment update endpoints.
Until the patch is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious activity.
Review and tighten role-based permissions in your CRM to limit document access and assignment modifications.
Consider implementing additional logging and alerting on document access and assignment update operations to detect potential exploitation.
Follow best practices by applying security updates promptly and testing authorization controls thoroughly.