CVE-2026-59235
Received Received - Intake

Missing Authorization in Prospero Flow CRM

Vulnerability report for CVE-2026-59235, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: 4daa8cea-433a-44bd-9456-53b127fc289a

Description

Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
prospero flow_crm to 5.5.3 (exc)
roskus prospero_flow_crm From 4.6.0|end_including=5.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Missing Authorization vulnerability (CWE-862) in Prospero Flow CRM versions before 5.5.3. The BankAccountListController endpoint GET /api/bank-account lacks proper permission checks. Authenticated low-privileged users can access bank account records belonging to their company by sending a request with a valid token. The endpoint only scopes records by company_id without verifying user permissions, exposing sensitive banking data like IBAN and SWIFT/BIC.

Impact Analysis

An attacker with a low-privileged role could read all bank account records within their company, including sensitive financial details such as account numbers, IBAN, and SWIFT/BIC codes. This could lead to unauthorized access to confidential banking information, potential financial fraud, or data breaches affecting the organization.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive financial and personal data. Unauthorized disclosure of banking information could result in legal penalties, regulatory fines, and reputational damage due to non-compliance with data security standards.

Detection Guidance

To detect this vulnerability, check if your Prospero Flow CRM version is between 4.6.0 and 5.5.2. Run: curl -s https://your-crm-domain.com/api/bank-account -H 'Authorization: Bearer YOUR_TOKEN' | grep -i 'iban\|swift\|bic'. If sensitive data is returned without proper permission checks, the system is vulnerable.

Mitigation Strategies
  • Upgrade Prospero Flow CRM to version 5.5.3 or higher immediately to apply the security fix.
  • Review API access logs for unauthorized requests to /api/bank-account endpoints.
  • Ensure all API endpoints enforce proper permission checks, not just authentication.
Executive Summary

This vulnerability is a Missing Authorization issue (CWE-862) in Prospero Flow CRM versions before 5.5.3. It allows low-privileged users, such as those with the 'User' or 'Usuario' role, to read arbitrary bank account records belonging to their company by sending an authenticated request to the GET /api/bank-account endpoint. The endpoint is protected only by basic authentication without proper permission checks, unlike the web route which enforces specific permissions.

Impact Analysis

This vulnerability allows unauthorized users to access sensitive banking information such as IBAN, SWIFT/BIC, and account identifiers. An attacker with a low-privileged role could exploit this to disclose confidential financial data belonging to their company, potentially leading to financial fraud, data breaches, or compliance violations.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized access to sensitive financial data. GDPR requires protection of personal data, while HIPAA mandates safeguards for protected health information. Unauthorized disclosure of banking details may result in legal penalties, reputational damage, and loss of trust.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart