{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/laravel-crm/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-61460"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Krayin CRM","laravel-crm"],"_cs_severities":["high"],"_cs_tags":["idor","crm","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Krayin"],"content_html":"\u003cp\u003eKrayin CRM, specifically versions through 2.2.3, is affected by an Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-61460. This flaw resides within multiple controllers, including \u003ccode\u003eLeadController\u003c/code\u003e, \u003ccode\u003ePersonController\u003c/code\u003e, \u003ccode\u003eOrganizationController\u003c/code\u003e, \u003ccode\u003eQuoteController\u003c/code\u003e, and \u003ccode\u003eActivityController\u003c/code\u003e. An authenticated user can exploit this vulnerability to bypass record-level ownership validation when performing edit, update, or destroy operations. This allows attackers to manipulate data belonging to other users, such as modifying or deleting their records, and even reassigning ownership of these records. The vulnerability stems from insufficient checks in the application's backend code that fail to confirm if the authenticated user is the legitimate owner of the record they are attempting to modify. This grants unauthorized data access and manipulation capabilities within the CRM system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to a Krayin CRM instance, possessing a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target CRM record (e.g., a lead, person, organization, quote, or activity) that is owned by another user.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or crafts an HTTP request to one of the vulnerable controllers, such as \u003ccode\u003eLeadController\u003c/code\u003e, \u003ccode\u003ePersonController\u003c/code\u003e, \u003ccode\u003eOrganizationController\u003c/code\u003e, \u003ccode\u003eQuoteController\u003c/code\u003e, or \u003ccode\u003eActivityController\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIn the request, the attacker specifies the unique identifier (ID) of the target record owned by another user, rather than a record owned by their own account.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes an action like \u0026quot;edit,\u0026quot; \u0026quot;update,\u0026quot; or \u0026quot;destroy\u0026quot; on the specified record ID.\u003c/li\u003e\n\u003cli\u003eDue to the missing record-level ownership validation, the Krayin CRM application processes the request successfully.\u003c/li\u003e\n\u003cli\u003eThe CRM system performs the requested operation, allowing the attacker to modify, update, or delete the record belonging to another user.\u003c/li\u003e\n\u003cli\u003eOptionally, the attacker can reassign the ownership of the manipulated record to another user or themselves, maintaining unauthorized control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61460 can lead to severe data integrity and confidentiality issues within Krayin CRM deployments. Attackers can arbitrarily modify, delete, or exfiltrate sensitive customer and organizational data stored in the CRM, leading to potential data loss, corruption, or exposure. Furthermore, the ability to reassign record ownership can disrupt business processes, undermine data trust, and facilitate further unauthorized actions by obscuring the true ownership of critical information. Organizations using Krayin CRM through version 2.2.3 are at risk of significant operational disruption and compliance violations if this vulnerability remains unpatched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply patches or upgrade Krayin CRM to a version beyond 2.2.3 to remediate CVE-2026-61460, as described in the references.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and authorization checks at the application layer to ensure that authenticated users can only interact with records they are authorized to access.\u003c/li\u003e\n\u003cli\u003eReview web application firewall (WAF) configurations to identify and potentially block suspicious requests targeting \u003ccode\u003eLeadController\u003c/code\u003e, \u003ccode\u003ePersonController\u003c/code\u003e, \u003ccode\u003eOrganizationController\u003c/code\u003e, \u003ccode\u003eQuoteController\u003c/code\u003e, and \u003ccode\u003eActivityController\u003c/code\u003e with unexpected record IDs or parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual patterns of access to CRM controller endpoints, especially those involving repeated attempts to modify or delete records belonging to different users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:21:42Z","date_published":"2026-07-10T19:21:42Z","id":"https://feed.craftedsignal.io/briefs/2026-07-krayin-crm-idor/","summary":"An Insecure Direct Object Reference (IDOR) vulnerability, CVE-2026-61460, in Krayin CRM through version 2.2.3 allows authenticated users to modify, update, or delete records owned by other users by exploiting missing record-level ownership validation in various controllers, leading to unauthorized data manipulation.","title":"Krayin CRM Insecure Direct Object Reference Vulnerability (CVE-2026-61460)","url":"https://feed.craftedsignal.io/briefs/2026-07-krayin-crm-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Laravel-Crm","version":"https://jsonfeed.org/version/1.1"}