High severity8.1NVD Advisory· Published Apr 14, 2026· Updated Apr 23, 2026

CVE-2026-38530

Description

A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
krayin/laravel-crmPackagist	<= 2.2.0	—

Affected products

Webkul/Krayin CRM
cpe:2.3:a:webkul:krayin_crm:2.2.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530nvdExploitMitigationThird Party AdvisoryWEB
github.com/advisories/GHSA-rm5f-3c25-p4cwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-38530ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000