This vulnerability arises from improper authorization checks in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x. An authenticated user can bypass object-level access controls to perform unauthorized read, update, or delete operations on leads belonging to other users by crafting specific GET requests. The flaw compromises data confidentiality and integrity, as attackers can access and manipulate data they should not control. The CVSS 3.1 vector indicates network attack vector, low complexity, no privileges required beyond authentication, and no user interaction needed. No vendor advisory or patch information is currently available, and no known exploits in the wild have been reported.

Successful exploitation allows an authenticated attacker to access, modify, or permanently delete any lead data owned by other users within the CRM system. This can lead to data breaches, loss of data integrity, and potential disruption of business processes relying on lead information. The high CVSS score reflects significant confidentiality and integrity impacts with relatively low attack complexity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected endpoint to trusted users only and monitor for suspicious activity involving lead data access. Implement additional access control checks at the application level if possible to prevent unauthorized object-level access.