CVE-2026-5652— Authorization Bypass Through User-Controlled Key in Crafty Controller
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-5652
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization Bypass Through User-Controlled Key in Crafty Controller
Source: NVD (National Vulnerability Database)
Vulnerability Description
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Crafty Controller 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Crafty Controller是Arcadia的一个 Minecraft 服务器控制面板/启动器。 Crafty Controller存在安全漏洞,该漏洞源于Users API组件权限验证不当,可能导致远程经过身份验证的攻击者执行用户修改操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Arcadia Technology, LLC | Crafty Controller | 0 ~ 4.10.2 | - |
II. Public POCs for CVE-2026-5652
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-5652
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Crafty Controller
- CVE-2026-0805
Improper Limitation of a Pathname to a Restricted Directory - CVE-2026-0963
Improper Limitation of a Pathname to a Restricted Directory - CVE-2025-14700
Improper Neutralization of Special Elements Used in a Templa - CVE-2025-14701
Improper Neutralization of Input During Web Page Generation - CVE-2025-5990
Improper Neutralization of Input During Web Page Generation
Same vendor: Arcadia Technology, LLC
- CVE-2026-0805
Improper Limitation of a Pathname to a Restricted Directory - CVE-2026-0963
Improper Limitation of a Pathname to a Restricted Directory - CVE-2025-14700
Improper Neutralization of Special Elements Used in a Templa - CVE-2025-14701
Improper Neutralization of Input During Web Page Generation - CVE-2025-5990
Improper Neutralization of Input During Web Page Generation
Same weakness: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. Comments for CVE-2026-5652
No comments yet