CVE-2026-61460
Krayin · Laravel-CRM
Krayin Laravel-CRM is susceptible to an authorization bypass vulnerability via user-controlled keys, allowing attackers to access unauthorized resources.
Executive summary
Krayin Laravel-CRM contains an authorization bypass vulnerability that enables authenticated attackers to access or modify data they are not permitted to view.
Vulnerability
The application suffers from CWE-639 (Authorization Bypass Through User-Controlled Key). By manipulating resource identifiers in application requests, an authenticated attacker can perform unauthorized actions on objects belonging to other users or system accounts.
Business impact
With a CVSS score of 8.8, this vulnerability poses a significant risk to data confidentiality and integrity. If exploited, an attacker could harvest sensitive customer data, manipulate CRM records, or escalate privileges within the application, leading to substantial data breaches and unauthorized administrative actions within the organization's sales platform.
Remediation
Immediate Action: Consult the Krayin repository for the latest security patches or updates provided by the vendor to address IDOR-related vulnerabilities.
Proactive Monitoring: Monitor access logs for sequences of requests where a single user ID appears to be iterating through varied resource identifiers or object keys.
Compensating Controls: Implement an application-level Web Application Firewall (WAF) rule to detect and block suspicious requests containing unexpected or non-sequential resource identifiers.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This authorization bypass requires prompt intervention to protect sensitive customer information. Organizations should verify their current version of Laravel-CRM and apply the vendor-recommended security updates as soon as they are available.