Critical IODR Vulnerability in Crafty Controller Puts Servers at Risk
The National Vulnerability Database has disclosed CVE-2026-5652, a critical Insecure Direct Object Reference (IDOR) vulnerability within the Users API component of Crafty Controller. This flaw, rated 9.0 (CRITICAL) on the CVSS scale, allows a remote, authenticated attacker to execute user modification actions without proper authorization. The issue stems from insufficient API permissions validation, enabling an attacker to bypass intended access controls.
This isn’t a theoretical risk; it’s a direct path to privilege escalation or unauthorized user manipulation for anyone with valid credentials, even low-privileged ones. The attacker’s calculus here is simple: gain any level of access, then leverage this IDOR to modify or potentially delete other user accounts, including administrative ones. This effectively gives them control over the entire Crafty Controller instance.
For defenders, this means immediate action. Any organization utilizing Crafty Controller must assume that authenticated attackers can exploit this. The lack of specified affected product versions from the National Vulnerability Database implies a broad impact. This isn’t just about data; it’s about operational integrity and maintaining control over your infrastructure.
What This Means For You
- If your organization uses Crafty Controller, you must immediately assess your instances for this CVE-2026-5652 vulnerability. Prioritize patching as soon as a fix is available. In the interim, strictly audit all user modification logs and review API access permissions for any accounts, especially those with low privileges, to detect anomalous activity.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5652 - Crafty Controller User API IODR - Free Tier
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5652 | IDOR | Crafty Controller Users API component |
| CVE-2026-5652 | Auth Bypass | improper API permissions validation in Crafty Controller |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41194 — FreeScout is a free self-hosted help desk and shared
CVE-2026-41194 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET...
FreeScout Vulnerability: Unrestricted File Write via ZIP Upload
CVE-2026-41193 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating...
FreeScout Attachment Flaw Allows Data Deletion
CVE-2026-41192 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment...