PatchSiren cyber security CVE debrief
CVE-2026-61460 krayin CVE debrief
CVE-2026-61460 is an insecure direct object reference vulnerability in Krayin CRM through 2.2.3. Authenticated users can edit, update, or delete records owned by other users due to missing record-level ownership validation in edit, update, and destroy methods. This vulnerability exists in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. Attackers can modify CRM records and reassign ownership by exploiting this vulnerability. The vulnerability has a high impact on the confidentiality, integrity, and availability of the affected system.
- Vendor
- krayin
- Product
- laravel-crm
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Krayin CRM version 2.2.3 or earlier should be aware of this vulnerability and take steps to mitigate it. System administrators, security teams, and developers responsible for maintaining and securing Krayin CRM deployments should prioritize patching or mitigating this vulnerability to prevent potential attacks.
Technical summary
The vulnerability exists in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController of Krayin CRM through 2.2.3. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods. The vulnerability allows authenticated users to access and modify records without proper authorization, leading to potential data breaches and unauthorized changes.
Defensive priority
High
Recommended defensive actions
- Update Krayin CRM to a version that includes a fix for this vulnerability
- Implement additional access controls to restrict user access to records
- Monitor CRM logs for suspicious activity
- Perform regular security audits to identify similar vulnerabilities
- Review and update incident response plans to address potential attacks
- Conduct a thorough risk assessment to identify potential exposure
- Verify the integrity of CRM records and system logs to detect potential attacks
Evidence notes
The CVE record was published on 2026-07-10T19:17:27.587Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The insecure direct object reference vulnerability exists in Krayin CRM through 2.2.3, allowing authenticated users to edit, update, or delete records owned by other users due to missing record-level ownership validation in edit, update, and destroy methods.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:27.587Z and has not been modified since then. The NVD entry is currently Deferred.