CVE-2026-59237 PUBLISHED

IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders

Assigner: Secur0
Reserved: 03.07.2026 Published: 16.07.2026 Updated: 16.07.2026

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor Roskus
Product Prospero Flow CRM
Versions Default: unaffected
  • affected from 4.6.0 to 5.5.3 (excl.)

Solutions

Upgrade to version 5.5.3 or higher.

Credits

  • theoffsecgirl finder
  • Cristian Fernandez Cornejo analyst
  • Xoán M. Otero Jorge analyst
  • Secur0 CNA coordinator
  • Gustavo Novaro remediation developer

References

Problem Types

  • CWE-639 Authorization bypass through User-Controlled key CWE