🔐 CVE Alert

CVE-2026-59236

UNKNOWN 0.0

Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

CWE CWE-639
Vendor roskus
Product prospero flow crm
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for roskus prospero flow crm

Be the first to know when new unknown vulnerabilities affecting roskus prospero flow crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Roskus / Prospero Flow CRM
1.0.0 < 5.14.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/Roskus/prospero-flow-crm/commit/bdd6c9770a7435a45f0411154671b8a3e94dcdaa github.com: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.14.0 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-59236-authorization-bypass-in-prospero-flow-crm-excel-import-allows-cross-tenant-record-injection

Credits

Mario Álvarez Fernández (maalfer) Thomas O'Neil Álvarez (thomas.pime) Gustavo Novaro Xoan M. Otero Jorge Cristian Fernández Cornejo Secur0 CNA