This vulnerability involves an insecure direct object reference in the Users API of Crafty Controller, which permits an authenticated attacker to bypass authorization controls and modify user data improperly. The root cause is insufficient validation of API permissions, allowing user-controlled keys to influence access decisions. The vulnerability affects version 0 of the product and is publicly disclosed with a CVSS 3.1 score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). No patch or official remediation level has been provided by the vendor as of the publication date.

Successful exploitation can lead to unauthorized modification of user accounts, resulting in complete compromise of confidentiality and integrity of user data, with limited impact on availability. This could allow attackers with valid credentials to escalate privileges or alter user information beyond their authorized scope.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the Users API to trusted authenticated users only and monitor for suspicious user modification activities. Avoid exposing the vulnerable API to untrusted networks. Follow vendor communications closely for updates on patches or official mitigations.