CVE-2026-59236
Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.
| CWE | CWE-639 |
| Vendor | roskus |
| Product | prospero flow crm |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for roskus prospero flow crm
Be the first to know when new unknown vulnerabilities affecting roskus prospero flow crm are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Roskus / Prospero Flow CRM
1.0.0 < 5.14.0
References
github.com: https://github.com/Roskus/prospero-flow-crm/commit/bdd6c9770a7435a45f0411154671b8a3e94dcdaa github.com: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.14.0 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-59236-authorization-bypass-in-prospero-flow-crm-excel-import-allows-cross-tenant-record-injection
Credits
Mario Álvarez Fernández (maalfer) Thomas O'Neil Álvarez (thomas.pime) Gustavo Novaro Xoan M. Otero Jorge Cristian Fernández Cornejo Secur0 CNA