Critical BOLA Flaw Lets Attackers Hijack Webkul Krayin CRM Accounts
The National Vulnerability Database has highlighted a critical security flaw, CVE-2026-38529, impacting Webkul Krayin CRM versions up to v2.2.x. This vulnerability, classified as Broken Object-Level Authorization (BOLA), allows authenticated attackers to gain full control over user accounts.
According to the National Vulnerability Database, the vulnerability resides in the /Settings/UserController.php endpoint. By crafting specific HTTP requests, an attacker can exploit this flaw to arbitrarily reset user passwords. This leads to a complete account takeover, granting the attacker the same privileges as the compromised user. The National Vulnerability Database notes a CVSS score of 8.8, marking it as HIGH severity, with a vector indicating network accessibility, low complexity, and requiring only low privileges from the attacker.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 5 SIEM formats3 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.
Credential Abuse from Breached Vendor — CVE-2026-38529
Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.
3 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get Detection Rules →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-38529 | Auth Bypass | Webkul Krayin CRM v2.2.x |
| CVE-2026-38529 | Auth Bypass | Broken Object-Level Authorization (BOLA) |
| CVE-2026-38529 | Auth Bypass | /Settings/UserController.php endpoint |
| CVE-2026-38529 | Account Takeover | Arbitrary user password reset |
Related Posts
Critical RCE Flaw Hits NuGet Gallery Backend
CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...
BoidCMS LFI to RCE: A Critical Template Flaw
CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...
Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk
CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...