CVE-2026-59236
Received Received - Intake

Authorization Bypass in Roskus Prospero Flow CRM

Vulnerability report for CVE-2026-59236, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: 4daa8cea-433a-44bd-9456-53b127fc289a

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
roskus prospero_flow_crm 5.14.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an authorization bypass vulnerability where authenticated users can manipulate the company_id field in Excel import files to create records in another company's tenant. The flaw exists in the CustomerImport, LeadImport, and ProductImport handlers in Roskus Prospero Flow CRM before version 5.14.0.

Impact Analysis

An attacker could inject fake customer, lead, or product records into your company's CRM data, corrupting listings, metrics, and campaigns. This could lead to data integrity issues, incorrect reporting, and potential business disruptions.

Compliance Impact

This vulnerability could lead to unauthorized data access or corruption across tenants, potentially violating data segregation requirements in GDPR and HIPAA. Unauthorized record injection may result in compliance breaches due to improper data handling.

Detection Guidance

Check if your Prospero Flow CRM version is below 5.14.0 by running: grep -r 'version' /path/to/prospero-flow-crm/config/app.php or checking the admin panel. Inspect Excel import logs for POST /customer/import/excel/save requests with mismatched company_id values between the authenticated user and the file.

Mitigation Strategies

Upgrade Prospero Flow CRM to version 5.14.0 or higher immediately. If upgrading is not possible, restrict access to Excel import endpoints (POST /customer/import/excel/save) until patched. Monitor for unauthorized record creation across tenants.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart