CVE-2026-59234
Received Received - Intake

Authorization Bypass in Prospero Flow CRM Calendar Events

Vulnerability report for CVE-2026-59234, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: 4daa8cea-433a-44bd-9456-53b127fc289a

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
roskus prospero_flow_crm 5.5.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59234 is an authorization bypass vulnerability in the Prospero Flow CRM application before version 5.5.3. It occurs in the CalendarDeleteEventController, where an authenticated attacker can delete calendar events belonging to other users by manipulating the {id} parameter in the GET request to /calendar/event/delete/{id}.

The root cause is that the delete handler uses Calendar::find($id)->delete() without verifying ownership or scoping by user_id or company_id. This lack of ownership checks allows attackers to delete arbitrary calendar events that do not belong to them.

This vulnerability is a type of Insecure Direct Object Reference (IDOR) and is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).

Impact Analysis

This vulnerability allows a remote, authenticated attacker to delete calendar events belonging to other users within the Prospero Flow CRM platform.

The impact includes unauthorized destruction of important calendar data across the platform, potentially disrupting business operations, causing loss of critical scheduling information, and damaging trust among users.

Because the attacker can manipulate the event IDs without proper authorization checks, they can delete any user's calendar events, which may lead to data integrity issues and operational inefficiencies.

Detection Guidance

This vulnerability can be detected by monitoring and testing the GET requests to the endpoint /calendar/event/delete/{id} for improper authorization checks.

Specifically, an authenticated user can attempt to manipulate the {id} parameter in the URL to delete calendar events that do not belong to them. If the system allows deletion without ownership verification, it is vulnerable.

To detect this on your system, you can use commands or tools to simulate authenticated requests with different {id} values and observe if unauthorized deletions occur.

  • Use curl to send authenticated GET requests with different event IDs, for example:
  • curl -X GET -b cookie.txt "https://yourcrm.example.com/calendar/event/delete/123"
  • Change the event ID (123) to IDs of calendar events owned by other users and check if the deletion is allowed.
  • Monitor logs for unexpected deletions or unauthorized access attempts to calendar events.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Prospero Flow CRM software to version 5.5.3 or higher, where this vulnerability has been fixed.

The fix involves implementing strict ownership validation checks on delete endpoints to ensure users can only delete resources they own.

Until the upgrade can be applied, restrict access to the vulnerable endpoint /calendar/event/delete/{id} to trusted users only, and monitor for suspicious activity.

Additionally, review and apply best practices for object-level authorization (BOLA) to prevent similar authorization bypass issues.

Compliance Impact

The vulnerability allows unauthorized deletion of other users' calendar events due to lack of ownership checks, which can lead to unauthorized data manipulation and potential data loss.

Such unauthorized access and modification of user data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

By enabling attackers to delete data belonging to other users without proper authorization, the vulnerability undermines data integrity and confidentiality requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59234. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart