Authorization Bypass Through User-Controlled Key Affecting fat_free_crm package, versions >=0.10.1-rc1, <0.26.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Authorization Bypass Through User-Controlled Key vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RUBY-FATFREECRM-16083814
- published16 Apr 2026
- disclosed14 Apr 2026
- creditbgeesaman
Introduced: 14 Apr 2026
New CVE NOT AVAILABLE CWE-639 (opens in a new tab)How to fix?
Upgrade fat_free_crm to version 0.26.0 or higher.
Overview
fat_free_crm is a customer relationship management platform.
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the destroy action in app/controllers/emails_controller.rb. An attacker can delete another user’s email record by sending a crafted DELETE /emails/:id request with the target email ID. This allows any authenticated user to remove email entries they do not own, resulting in the loss of stored email data and breaking email-related workflows for the affected account.
Notes
- The vulnerable path is gated by the Email Dropbox workflow; the maintainer's advisory indicates the impact is limited to emails imported into the system through that feature, and disabling the dropbox is the stated workaround.
Workarounds
- Disable use of the Email Dropbox to prevent authenticated users from deleting emails imported through that feature by ID.