Title: Indotalent Free-CRM v1.0 commit: b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1 Improper Authorization Description: - An authorization vulnerability chain in Free-CRM v1.0 and earlier allows a low-privileged authenticated user to enumerate, access, and modify arbitrary user accounts, including administrators. - The issue stems from an unauthenticated Swagger endpoint that discloses internal API structure combined with missing server-side authorization checks on privileged security APIs. - Endpoints such as , , and are affected. - Invoking these endpoints with a normal user bearer token, an attacker can obtain sensitive profile information and perform unauthorized account modifications. Source: https://github.com/Ghufran2/CVE-Free-CRM-Advisories/blob/main/Free-CRM%20IDOR.md User: Ghufar Khan (UID 95493) Submission Date: 02/14/2026 Moderation Date: 02/26/2026 Status: Accepted VulDB Entry: 347988 Points: 20