CVE-2026-5652

CRITICAL NVD

CVSS Score 9

Severity CRITICAL

Published Apr 21, 2026

Vendor unknown

Description

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

References

https://gitlab.com/crafty-controller/crafty-4/-/work_items/705
https://gitlab.com/crafty-controller/crafty-4/-/work_items/705