CVE-2026-59234 PUBLISHED

Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Assigner: Secur0
Reserved: 03.07.2026 Published: 03.07.2026 Updated: 03.07.2026

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor Roskus
Product Prospero Flow CRM
Versions Default: unaffected
  • affected from 1.0.0 to 5.5.3 (excl.)

Solutions

Upgrade to version 5.5.3 or higher.

Credits

  • Robert Mihaila finder
  • Amirreza Fadaeizadeh Bidari finder
  • Xoan M. Otero Jorge analyst
  • Secur0 CNA coordinator
  • Gustavo Novaro remediation developer

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE

Impacts

  • CAPEC-77 Manipulating User-Controlled Variables