CVE-2026-59235 PUBLISHED

Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

Assigner: Secur0
Reserved: 03.07.2026 Published: 15.07.2026 Updated: 15.07.2026

Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Roskus
Product Prospero Flow CRM
Versions Default: unaffected
  • affected from 4.6.0 to 5.5.3 (excl.)

Solutions

Upgrade to version 5.5.3 or higher.

Credits

  • David Moreno Urbanos finder
  • YoyoDavelion finder
  • Gustavo Novaro remediation developer
  • Secur0 CNA coordinator
  • Xoan M. Otero Jorge analyst
  • Cristian Fernández Cornejo analyst

References

Problem Types

  • CWE-639 Authorization bypass through User-Controlled key CWE