🔐 CVE Alert

CVE-2026-59235

UNKNOWN 0.0

Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it.

CWE CWE-639
Vendor roskus
Product prospero flow crm
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for roskus prospero flow crm

Be the first to know when new unknown vulnerabilities affecting roskus prospero flow crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Roskus / Prospero Flow CRM
4.6.0 < 5.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/Roskus/prospero-flow-crm/commit/57bb57212af03151c989d67d6723d5ddb3e81e7b github.com: https://github.com/Roskus/prospero-flow-crm/releases#release-v5.5.3 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-59235-missing-authorization-in-prospero-flow-crm-allows-low-privileged-users-to-read-all-bank-accounts

Credits

David Moreno Urbanos YoyoDavelion Gustavo Novaro Secur0 CNA Xoan M. Otero Jorge Cristian Fernández Cornejo