CVE-2026-61460 in laravel-crminfo

Summary

by MITRE • 07/10/2026

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical insecure direct object reference flaw that fundamentally undermines the access control mechanisms within Krayin CRM version 2.2.3 and earlier. The weakness exists across multiple core controllers including LeadController, PersonController, OrganizationController, QuoteController, and ActivityController, creating a widespread security gap that affects the entire application's data integrity and user privacy protections. The vulnerability stems from insufficient validation of user permissions during record manipulation operations, allowing authenticated users to bypass normal access controls and directly reference objects they should not be authorized to modify.

The technical implementation flaw manifests in the absence of proper ownership verification checks within the edit, update, and destroy methods of these controllers. When users attempt to perform operations on CRM records, the application fails to validate whether the requesting user actually owns or has proper authorization rights to modify the target record. This allows attackers to manipulate URL parameters or API endpoints to reference records belonging to other users, effectively enabling unauthorized data modification, deletion, or transfer operations. The vulnerability operates at the application logic level rather than network or infrastructure layers, making it particularly insidious as it leverages legitimate application functionality against itself.

The operational impact of this vulnerability extends beyond simple data theft or modification, creating significant risks for organizations relying on Krayin CRM for sensitive customer information management. Attackers can exploit this weakness to reassign ownership of records, potentially gaining access to confidential lead information, customer data, or business quotes belonging to other team members. This unauthorized access capability compromises the principle of least privilege and can lead to data breaches, competitive intelligence theft, or regulatory compliance violations depending on the nature of the CRM data being managed. The vulnerability affects all authenticated users within the system, meaning that even legitimate employees could be exploited by malicious insiders or compromised accounts.

Organizations should immediately implement mitigations including comprehensive access control validation for all record-level operations across affected controllers, implementing proper ownership checks before allowing any modification or deletion actions. The fix requires adding robust validation logic to verify user ownership or explicit authorization rights before permitting record manipulation. This approach aligns with security best practices outlined in the CWE-639 category for insecure direct object references and follows ATT&CK technique T1078 for valid accounts and privilege escalation. Regular security assessments should be conducted to ensure no similar vulnerabilities exist in other application components, while also implementing proper logging and monitoring of record access patterns to detect potential exploitation attempts. The vulnerability demonstrates the critical importance of defense-in-depth strategies and proper input validation in web applications, particularly those handling sensitive business data.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!