CVE-2026-5652
published 2026-04-21CVE-2026-5652: An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user…
PriorityP355critical9CVSS 3.1
AVNACLPRHUINSCCHIHAL
EPSS
0.44%
35.1th percentile
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arcadia_technology_llc | crafty_controller | <= 4.10.2 | — |
| craftycontrol | crafty_controller | < 4.10.4 | 4.10.4 |
| gitlab | crafty_controller | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Arcadia Crafty Controller up to 4.10.2 Users API authorization
vuldb·2026-04-21·CVSS 9.0
CVE-2026-5652 [CRITICAL] Arcadia Crafty Controller up to 4.10.2 Users API authorization
A vulnerability labeled as problematic has been found in Arcadia Crafty Controller up to 4.10.2. Affected is an unknown function of the component Users API. Executing a manipulation can lead to authorization bypass.
This vulnerability is tracked as CVE-2026-5652. The attack can be launched remotely. No exploit exists.
GHSA
GHSA-8mj7-3xh5-xpj7: An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform u
ghsa_unreviewed·2026-04-21
CVE-2026-5652 [CRITICAL] CWE-639 GHSA-8mj7-3xh5-xpj7: An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform u
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
GitLab
Authorization Bypass Through User-Controlled Key in Crafty Controller
vendor_gitlab·2026-04-21·CVSS 9.0
CVE-2026-5652 [CRITICAL] CWE-639 Authorization Bypass Through User-Controlled Key in Crafty Controller
Authorization Bypass Through User-Controlled Key in Crafty Controller
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Affected products: Crafty Controller
Affected versions: 0 (affected)
Solution: Upgrade to version 4.10.3
Credit: Thank you to [Kacper Leszczyński / szotgan](https://gitlab.com/szotgan) on GitLab for reporting this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-21
Published