CVE-2026-5652

An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.

More information : https://gitlab.com/crafty-controller/crafty-4/-/work_items/705