PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-61460 krayin CVE debrief

CVE-2026-61460 is an insecure direct object reference vulnerability in Krayin CRM through 2.2.3. Authenticated users can edit, update, or delete records owned by other users due to missing record-level ownership validation in edit, update, and destroy methods. This vulnerability exists in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController. Attackers can modify CRM records and reassign ownership by exploiting this vulnerability. The vulnerability has a high impact on the confidentiality, integrity, and availability of the affected system.

Vendor
krayin
Product
laravel-crm
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Krayin CRM version 2.2.3 or earlier should be aware of this vulnerability and take steps to mitigate it. System administrators, security teams, and developers responsible for maintaining and securing Krayin CRM deployments should prioritize patching or mitigating this vulnerability to prevent potential attacks.

Technical summary

The vulnerability exists in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController of Krayin CRM through 2.2.3. Attackers can modify CRM records and reassign ownership by exploiting missing record-level ownership validation in edit, update, and destroy methods. The vulnerability allows authenticated users to access and modify records without proper authorization, leading to potential data breaches and unauthorized changes.

Defensive priority

High

Recommended defensive actions

  • Update Krayin CRM to a version that includes a fix for this vulnerability
  • Implement additional access controls to restrict user access to records
  • Monitor CRM logs for suspicious activity
  • Perform regular security audits to identify similar vulnerabilities
  • Review and update incident response plans to address potential attacks
  • Conduct a thorough risk assessment to identify potential exposure
  • Verify the integrity of CRM records and system logs to detect potential attacks

Evidence notes

The CVE record was published on 2026-07-10T19:17:27.587Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The insecure direct object reference vulnerability exists in Krayin CRM through 2.2.3, allowing authenticated users to edit, update, or delete records owned by other users due to missing record-level ownership validation in edit, update, and destroy methods.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T19:17:27.587Z and has not been modified since then. The NVD entry is currently Deferred.