{"id":"GHSA-rm5f-3c25-p4cw","summary":"Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php","details":"A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.","aliases":["CVE-2026-38530"],"modified":"2026-04-16T01:50:35.044790Z","published":"2026-04-14T18:30:35Z","database_specific":{"nvd_published_at":"2026-04-14T16:16:43Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-639"],"github_reviewed_at":"2026-04-16T01:31:36Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38530"},{"type":"WEB","url":"https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"},{"type":"PACKAGE","url":"https://github.com/krayin/laravel-crm"}],"affected":[{"package":{"name":"krayin/laravel-crm","ecosystem":"Packagist","purl":"pkg:composer/krayin/laravel-crm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"2.2.0"}]}],"versions":["v1.0.0","v1.0.1","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.3.0","v1.3.1","v2.0.0","v2.0.0-BETA-1","v2.0.1","v2.0.2","v2.0.4","v2.0.5","v2.0.6","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}