MEDIUM 4.3

CVE-2026-10282: Bottelet DaybydayCRM Authorization Bypass in DocumentsController

Bottelet DaybydayCRM versions up to 2.2.1 contain an authorization flaw in the Documents controller that allows authenticated users to access files they shouldn't be able to view. An attacker with valid login credentials can exploit this remotely to read sensitive documents beyond their intended access scope. The vulnerability is rated MEDIUM severity and requires patching.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the DocumentsController.php view function, where improper authorization checks fail to validate whether a user has permission to access requested documents. An authenticated attacker (PR:L) can make direct requests to view documents without proper role or permission verification. The flaw maps to CWE-266 (Improper Privilege Management) and CWE-285 (Improper Authorization), indicating inadequate access control enforcement in the application logic.

Business impact

Unauthorized document access poses a direct confidentiality risk to organizations using DaybydayCRM. Sensitive business information—contracts, financial records, customer data, or proprietary details—could be exposed to insiders or compromised accounts with valid credentials. While integrity and availability are not directly impacted, data exposure can lead to regulatory violations (GDPR, HIPAA, etc.), reputational damage, and competitive disadvantage depending on document content.

Affected systems

Bottelet DaybydayCRM up to and including version 2.2.1 is affected. Versions beyond 2.2.1 may contain patches; verify the latest release notes from Bottelet for confirmation. All deployment environments running vulnerable versions are at risk if users have authenticated access.

Exploitability

Exploitation requires valid application credentials (CWE-285 reflects privileged but insufficient authorization). No special interaction or special conditions are needed beyond login; an attacker with legitimate access can immediately enumerate and retrieve unauthorized documents. The network-accessible nature (AV:N) and low attack complexity (AC:L) make this straightforward to exploit once authenticated.

Remediation

Update Bottelet DaybydayCRM to a patched version released after the June 2026 vulnerability publication. Review the vendor's advisory for the specific patched version number. Additionally, implement defense-in-depth: audit existing document access logs, enforce least-privilege access controls at the application and database levels, and consider temporary access restrictions until patching is complete.

Patch guidance

Contact Bottelet directly or monitor their security advisory page for patched releases post-2.2.1. Apply patches during a maintenance window; test thoroughly in staging before production rollout given the core authorization impact. If patches are delayed, implement temporary mitigations such as disabling document functionality or restricting user accounts to read-only roles pending remediation.

Detection guidance

Monitor DocumentsController access logs for unusual document view requests from users, particularly accessing documents outside their assigned projects or teams. Analyze database queries for document retrieval patterns that deviate from normal user behavior. Deploy SIEM rules to flag multiple failed authorization responses or anomalous document enumeration attempts. Audit existing document access to identify potential breaches already in progress.

Why prioritize this

Although the CVSS score is MEDIUM (4.3), this vulnerability directly impacts data confidentiality within the CRM—a repository of sensitive business records. The low barrier to exploitation (authenticated only, no user interaction required) makes it attractive to insider threats or lateral movement after account compromise. Prioritize patching within 2–4 weeks, sooner if documents contain highly sensitive data.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects low attack complexity, network accessibility, and a low impact scope confined to confidentiality. The requirement for prior authentication (PR:L) prevents remote unauthenticated exploitation, capping the score in the MEDIUM range. However, real-world context—the nature and volume of documents exposed—may warrant higher business risk even if the technical metric remains 4.3.

Frequently asked questions

Can an unauthenticated attacker exploit this?

No. The vulnerability requires prior authentication to the DaybydayCRM application. An attacker must possess valid login credentials to trigger the improper authorization flaw.

Will patching this break existing functionality?

Patched versions should restore proper authorization checks without breaking legitimate document access. Test in a staging environment first to confirm user workflows remain intact.

What if we restrict access to the Documents feature temporarily?

Disabling or restricting the Documents module until patching is a reasonable interim mitigation, though it may disrupt workflows. Consider combining this with user permission reviews to minimize exposure.

Is there any public exploit code available?

No confirmed public exploits exist as of the advisory publication date. However, the straightforward nature of authorization bypasses means internal discovery is possible; prioritize patching accordingly.

This analysis is based on published vulnerability data and CWE references. Patch versions and availability are not specified in the source advisory; verify the exact remediated version directly with Bottelet before deployment. SEC.co provides this information for situational awareness and risk assessment; organizations must conduct their own testing and validation. No warranty is provided regarding patch efficacy or timing. Always refer to the vendor's official security advisory for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).