CVE-2026-59237
Received Received - Intake

Authorization Bypass in Roskus Prospero Flow CRM

Vulnerability report for CVE-2026-59237, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: 4daa8cea-433a-44bd-9456-53b127fc289a

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
roskus prospero_flow_crm 5.5.3
roskus prospero_flow_crm From 4.6.0 (inc) to 5.5.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59237 is an Authorization Bypass Through User-Controlled Key (IDOR) vulnerability in Roskus Prospero Flow CRM's Order and OrderItem REST API controllers. It allows a remote, authenticated user to read, modify, or delete orders and order items belonging to other companies by exploiting sequential numeric IDs in API endpoints like GET /api/order/{id} or PUT /api/order/{id}. The flaw occurs because these controllers do not scope records by the authenticated user's company, unlike the OrderDeleteController which does.

Detection Guidance

To detect this vulnerability, check if your Prospero Flow CRM version is below 5.5.3. Test endpoints like GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id} with sequential IDs to see if unauthorized data access occurs. Monitor logs for unusual cross-tenant requests.

Impact Analysis

An attacker could access sensitive customer data (PII like names, emails, addresses), modify order amounts or statuses, or delete orders across all tenants. Since order IDs are sequential and lack rate limiting, attackers can easily enumerate and exfiltrate or alter records, breaking tenant isolation in the multi-company platform.

Compliance Impact

This vulnerability likely violates compliance requirements for data protection and privacy, such as GDPR (unauthorized access to PII) and HIPAA (exposure of sensitive customer data). It breaks tenant isolation, leading to unauthorized data exposure across companies, which could result in regulatory fines and legal consequences.

Mitigation Strategies

Immediately upgrade Prospero Flow CRM to version 5.5.3 or higher. Ensure all Order and OrderItem API endpoints enforce company_id scoping. Review and restrict access to sensitive PII fields in responses. Implement rate limiting on API endpoints to prevent ID enumeration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart