Krayin-Crm — CraftedSignal Threat Feed

Webkul Krayin CRM SSRF Vulnerability (CVE-2026-38527)

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-38527 details a Server-Side Request Forgery (SSRF) vulnerability affecting Webkul Krayin CRM version 2.2.x. The vulnerability is located in the /settings/webhooks/create component. An attacker can exploit this flaw by crafting a malicious POST request that forces the server to make requests to internal resources. This can be leveraged to scan internal network infrastructure, potentially revealing sensitive information or accessing internal services that are not meant to be exposed to the outside world. The vulnerability was published on April 14, 2026. Exploitation requires the attacker to be able to send POST requests to the affected endpoint.

Attack Chain

An attacker identifies a Webkul Krayin CRM instance running version 2.2.x.
The attacker crafts a POST request targeting the /settings/webhooks/create endpoint.
The POST request includes a malicious payload in the body, designed to trigger an SSRF vulnerability. This payload could involve specifying a URL for the webhook to call back to.
The vulnerable server processes the crafted POST request and attempts to create a new webhook.
The server-side component incorrectly handles or sanitizes the URL provided for the webhook callback.
As part of the webhook creation process, the server initiates an HTTP request to the attacker-controlled URL or internal resource specified in the crafted POST request.
The server successfully connects to the specified resource, potentially revealing information about the internal network or services.
The attacker analyzes the response from the internal service or server to gather sensitive information, such as internal hostnames, open ports, or service versions.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-38527) can allow an attacker to enumerate internal network resources, potentially identifying sensitive services and systems. This information can be used to further compromise the target environment, potentially leading to data breaches or system compromise. While the specific number of affected organizations is unknown, any organization using a vulnerable version of Webkul Krayin CRM is at risk.

Recommendation

Apply the necessary patch or upgrade to a version of Webkul Krayin CRM that resolves CVE-2026-38527.
Implement strict input validation and sanitization on all user-supplied data, especially URLs, to prevent SSRF attacks.
Monitor web server logs for suspicious requests to the /settings/webhooks/create endpoint, looking for unusual URLs or request patterns, using the provided Sigma rule.
Implement network segmentation to limit the impact of potential SSRF attacks by restricting access to sensitive internal resources.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Krayin CRM v2.2.x SQL Injection Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

Krayin CRM v2.2.x is susceptible to a SQL injection vulnerability identified as CVE-2026-38528. The vulnerability resides in the /Lead/LeadDataGrid.php script, specifically within the rotten_lead parameter. An attacker could exploit this vulnerability by injecting malicious SQL queries, potentially gaining unauthorized access to sensitive information stored within the CRM database. The CVSS v3.1 score is 7.1, indicating a high severity level. Successful exploitation requires a low level of privileges. This vulnerability was reported in April 2026 and could impact organizations using the affected Krayin CRM version, leading to data breaches and potential compromise of customer information.

Attack Chain

An attacker identifies a vulnerable Krayin CRM v2.2.x instance.
The attacker crafts a malicious HTTP request targeting /Lead/LeadDataGrid.php.
The HTTP request includes a SQL injection payload within the rotten_lead parameter.
The Krayin CRM application processes the request without proper sanitization of the rotten_lead parameter.
The injected SQL query is executed against the CRM database.
The attacker retrieves sensitive data from the database, such as customer details, user credentials, or financial information.
The attacker may use the compromised data for further malicious activities, such as identity theft or financial fraud.

Impact

Successful exploitation of this SQL injection vulnerability could lead to the unauthorized disclosure of sensitive customer data, financial records, and internal CRM data. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations. While the exact number of potential victims is unknown, any organization using Krayin CRM v2.2.x is at risk.

Recommendation

Apply any available patches or updates from the vendor to address CVE-2026-38528.
Implement input validation and sanitization on the rotten_lead parameter within /Lead/LeadDataGrid.php to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Krayin CRM SQL Injection Attempt” to your SIEM and tune for your environment.
Monitor web server logs for suspicious requests targeting /Lead/LeadDataGrid.php with potentially malicious SQL syntax.
Implement strong database access controls to limit the impact of successful SQL injection attacks.

Webkul Krayin CRM BOLA Vulnerability (CVE-2026-38529)

hello@craftedsignal.io — Tue, 14 Apr 2026 16:16:43 +0000

CVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) vulnerability affecting Webkul Krayin CRM version 2.2.x. The vulnerability resides in the /Settings/UserController.php endpoint. An authenticated attacker can exploit this flaw by sending a crafted HTTP request. Successful exploitation allows the attacker to arbitrarily reset the passwords of other users, leading to complete account takeover. Given the potential for widespread compromise and data breaches, this vulnerability poses a critical risk to organizations using the affected Krayin CRM version. Publicly available information regarding exploitation is available on GitHub.

Attack Chain

The attacker authenticates to the Krayin CRM application with valid credentials.
The attacker crafts a malicious HTTP request targeting the /Settings/UserController.php endpoint.
The crafted request is designed to reset the password of a target user, specifying the target user’s ID.
Due to the BOLA vulnerability, the application fails to properly validate if the authenticated user has the authorization to modify the target user’s password.
The application resets the target user’s password using the attacker-supplied data.
The attacker uses the new password to log in to the target user’s account.
The attacker gains full control over the target user’s account and data.

Impact

Successful exploitation of CVE-2026-38529 allows attackers to compromise user accounts within a Webkul Krayin CRM v2.2.x instance. This can lead to unauthorized access to sensitive customer data, business records, and other confidential information. A successful attack could result in data breaches, financial loss, reputational damage, and legal liabilities. Given the potential for complete account takeover, the impact is considered critical for organizations using the vulnerable CRM.

Recommendation

Apply the patch or upgrade to a secure version of Krayin CRM that addresses CVE-2026-38529 as soon as it becomes available.
Implement the Sigma rule Detect Krayin CRM Password Reset via UserController to detect exploitation attempts targeting the vulnerable endpoint.
Review and enforce strict access control policies within the Krayin CRM application to prevent unauthorized modification of user accounts.
Monitor web server logs for suspicious activity targeting the /Settings/UserController.php endpoint.
Enable web server logging to capture detailed information about HTTP requests, including request parameters.