Executive Summary

CVE-2026-10283 is a vulnerability in Bottelet DaybydayCRM up to version 2.2.1 involving missing authentication and authorization checks in the Setting Handler component and other parts of the system.

Specifically, permissions were defined in the database but not enforced in controller methods, allowing any authenticated user to perform sensitive operations such as deleting users, clients, tasks, leads, projects, and offers without proper authorization.

Additionally, mass assignment vulnerabilities existed where endpoints accepted all request data without filtering, enabling unintended overwrites of fields.

The root cause was systemic: missing permission checks on critical operations and unsafe mass assignment usage.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow any authenticated user to perform unauthorized destructive actions such as deleting important resources including users, clients, tasks, leads, projects, and offers.

It also enables unauthorized modification of settings and unintended data changes due to mass assignment flaws.

Such unauthorized actions can lead to data loss, disruption of business operations, and compromise of system integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves missing permission checks in the DaybydayCRM system, allowing unauthorized delete and settings update operations by authenticated users. Detection involves verifying whether unauthorized users can perform delete operations or modify settings without proper authorization.

To detect this on your system, you can attempt to perform delete operations or settings updates as a non-admin authenticated user and observe if the actions succeed.

Suggested commands or steps include:

• Authenticate as a non-admin user.
• Attempt to delete users, clients, tasks, leads, projects, or offers via the application interface or API endpoints.
• Attempt to update settings through the SettingsController endpoints.
• Monitor logs for unauthorized delete or settings update requests.
• Use API testing tools (e.g., curl, Postman) to send delete or update requests with non-admin credentials and check the response and effect on the database.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation step is to apply the patch that fixes the missing permission checks and mass assignment vulnerabilities in DaybydayCRM.

Specifically:

• Update DaybydayCRM to the fixed version that includes middleware-based permission validation for all delete and settings update operations.
• Ensure that mass assignment vulnerabilities are addressed by replacing broad `fill($request->all())` calls with explicit field filtering.
• Verify that database seeders include all necessary delete permissions (e.g., `task-delete`, `lead-delete`, `project-delete`).
• Review and apply any security-related documentation and migration notes provided with the patch.

Until the patch is applied, restrict access to the affected endpoints to trusted users only and monitor for suspicious activity.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in DaybydayCRM involves missing authentication and authorization checks, allowing any authenticated user to perform sensitive operations such as deleting users, clients, tasks, leads, projects, and offers, as well as modifying settings without proper admin permissions.

Such unauthorized access and manipulation of data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Failure to enforce permissions and authentication increases the risk of data breaches, unauthorized data modification, and loss of data integrity, all of which can result in non-compliance with these standards.

Applying the recommended patches and fixes that enforce strict authorization checks and prevent mass assignment vulnerabilities is essential to maintain compliance with these regulations.

Useful 0 Not Useful 0