CVE-2026-61460
Deferred Deferred - Pending Action

Authenticated Object Reference in Krayin CRM

Vulnerability report for CVE-2026-61460, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
krayin crm to 2.2.3 (inc)
krayin crm 2.2.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61460 is an Insecure Direct Object Reference (IDOR) vulnerability in Krayin CRM versions up to 2.2.3. It affects multiple controllers including LeadController, PersonController, OrganizationController, QuoteController, and ActivityController.

The vulnerability allows authenticated users to edit, update, or delete records owned by other users because the application lacks proper record-level ownership validation in the edit, update, and destroy methods of these controllers.

This means attackers can modify CRM records and reassign ownership without proper authorization checks, bypassing intended access controls.

Compliance Impact

The vulnerability allows authenticated users to edit, update, or delete records owned by other users, which can lead to unauthorized access and modification of sensitive data.

Such unauthorized access and modification can compromise data confidentiality, integrity, and availability, potentially violating data protection requirements found in standards and regulations like GDPR and HIPAA.

Because attackers can reassign ownership and manipulate CRM records without proper authorization, organizations using affected versions of Krayin CRM may face compliance risks related to improper access controls and data handling.

Impact Analysis

This vulnerability can have serious impacts on the confidentiality, integrity, and availability of your CRM data.

  • Attackers who are authenticated users can modify records they do not own, including editing, updating, or deleting them.
  • They can reassign ownership of records, potentially disrupting business workflows and data ownership.
  • Sensitive data can be read or altered by unauthorized users, leading to data breaches or loss of data integrity.
  • In multi-tenant environments, this can lead to cross-tenant data access and manipulation.
Detection Guidance

This vulnerability can be detected by testing whether authenticated users are able to edit, update, or delete records owned by other users without proper authorization checks.

Specifically, you can attempt to perform edit, update, or delete operations on CRM records that belong to other users and verify if the system improperly allows these actions.

Since the issue is due to missing record-level ownership validation in the edit, update, and destroy methods of multiple controllers, manual or automated tests targeting these endpoints (LeadController, PersonController, OrganizationController, QuoteController, ActivityController) can help detect the vulnerability.

No specific commands are provided in the available resources, but typical approaches include using authenticated API requests or web interface actions to attempt unauthorized modifications of other users' records.

Mitigation Strategies

The immediate mitigation step is to update Krayin CRM to a version that includes the fix for this vulnerability.

According to the resources, a fix was merged into the 2.2 branch of the krayin/laravel-crm repository via pull request #2567, which addresses the missing record-level ownership validation.

Until the update can be applied, restrict authenticated user permissions to limit their ability to edit, update, or delete records that they do not own.

Additionally, review and enforce ownership checks in the application controllers, especially in the edit, update, and destroy methods, to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart