Home

Description

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.

PUBLISHED Reserved 2026-07-09 | Published 2026-07-10 | Updated 2026-07-10 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

Any version
affected

Credits

George Chen finder

References

github.com/krayin/laravel-crm/issues/2559 (Researcher Disclosure) technical-description exploit

github.com/krayin/laravel-crm/pull/2567 (Pull Request) issue-tracking

www.vulncheck.com/...direct-object-reference-via-controllers third-party-advisory

cve.org (CVE-2026-61460)

nvd.nist.gov (CVE-2026-61460)

Download JSON