CVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://gitlab.com/crafty-controller/crafty-4/-/work_items/705	Exploit Vendor Advisory
https://gitlab.com/crafty-controller/crafty-4/-/work_items/705	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:craftycontrol:crafty_controller:*:*:*:*:*:*:*:*

History

27 Apr 2026, 19:47

Type	Values Removed	Values Added
References	~~() https://gitlab.com/crafty-controller/crafty-4/-/work_items/705 -~~	() https://gitlab.com/crafty-controller/crafty-4/-/work_items/705 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:craftycontrol:crafty_controller::::::::
First Time		Craftycontrol Craftycontrol crafty Controller

21 Apr 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://gitlab.com/crafty-controller/crafty-4/-/work_items/705 -~~	() https://gitlab.com/crafty-controller/crafty-4/-/work_items/705 -

21 Apr 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-21 17:16

Updated : 2026-04-27 19:47

NVD link : CVE-2026-5652

Mitre link : CVE-2026-5652

CVE.ORG link : CVE-2026-5652

JSON object : View

Products Affected

craftycontrol

crafty_controller

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

9.0 /10