CVE-2026-5652
Crafty Controller · Users API
An insecure direct object reference (IDOR) vulnerability in the Crafty Controller Users API allows authenticated attackers to perform unauthorized user modifications.
Executive summary
A critical IDOR vulnerability in Crafty Controller’s Users API allows authenticated attackers to modify user accounts, potentially leading to full account takeover.
Vulnerability
This vulnerability is an Insecure Direct Object Reference (IDOR) flaw within the API component. It occurs because the application fails to perform adequate permissions validation, allowing an authenticated attacker to manipulate user objects they are not authorized to access.
Business impact
Successful exploitation of this flaw could allow an attacker to modify sensitive user data or escalate their own privileges within the Crafty Controller environment. Given the CVSS score of 9.0, this represents a critical risk to data integrity and system security, potentially resulting in unauthorized administrative access and significant operational disruption.
Remediation
Immediate Action: Update the Crafty Controller software to the latest available version provided by the vendor.
Proactive Monitoring: Monitor API access logs for unusual patterns of user modification requests originating from non-administrative accounts.
Compensating Controls: Implement strict API gateway controls and monitor for anomalous request parameters that deviate from standard user management workflows.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations utilizing Crafty Controller should prioritize this update to prevent unauthorized account modification. Apply the latest vendor-supplied patches immediately to mitigate the risk of privilege escalation and potential system compromise.