CVE-2026-5652

CRITICAL

Authorization Bypass Through User-Controlled Key in Crafty Controller

Title source: cna

Description

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

References (1)

https://gitlab.com/crafty-controller/crafty-4/-/work_items/705

Scores

CVSS v3 9.0

EPSS 0.0010

EPSS Percentile 27.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-639

Status published

Products (2)

Arcadia Technology, LLC/Crafty Controller < 4.10.2

craftycontrol/crafty_controller < 4.10.4

Published Apr 21, 2026

Tracked Since Apr 21, 2026