CVE 9 CRITICAL

Authorization Bypass Through User-Controlled Key in Crafty Controller_CVE-2026-5652

April 21, 2026 invoker category_cve

9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Description

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

AI Analysis

Insecure direct object reference vulnerability allowing remote, authenticated attackers to modify users via improper API permissions validation

Basic Information

ID CVE-2026-5652

Source GitLab

Published Apr 21, 2026 at 16:33

Affected Product

Vendor Arcadia Technology, LLC

Product Crafty Controller

Affected Versions Arcadia Technology, LLC Crafty Controller 0

CWE Classification

CWE-639

AI Assessment

AI Score 9 / 10

AI Severity Critical

Vendor Arcadia Technology, LLC

Product Crafty Controller

References

gitlab.com /crafty-controller/crafty-4/-/work_items/705

{
    "lastseen": "",
    "description": "An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.",
    "published": "2026-04-21T16:33:56.878Z",
    "modified": "2026-04-21T16:33:56.878Z",
    "type": "cve",
    "title": "Authorization Bypass Through User-Controlled Key in Crafty Controller",
    "source": "GitLab",
    "references": "https://gitlab.com/crafty-controller/crafty-4/-/work_items/705",
    "id": "CVE-2026-5652",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "Arcadia Technology, LLC Crafty Controller 0",
    "sourceHref": "",
    "cvss": {
        "score": 9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Crafty Controller",
    "version": "0",
    "vendor": "Arcadia Technology, LLC",
    "ai_description": "Insecure direct object reference vulnerability allowing remote, authenticated attackers to modify users via improper API permissions validation",
    "ai_severity": "Critical",
    "ai_vendor": "Arcadia Technology, LLC",
    "ai_product": "Crafty Controller",
    "ai_version": "0",
    "ai_score": 9
}

💭 Join the Security Discussion ❌ Cancel Reply