๐Ÿ” CVE Alert

CVE-2026-59237

UNKNOWN 0.0

IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.

CWE CWE-639
Vendor roskus
Product prospero flow crm
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for roskus prospero flow crm

Be the first to know when new unknown vulnerabilities affecting roskus prospero flow crm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Roskus / Prospero Flow CRM
4.6.0 < 5.5.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/Roskus/prospero-flow-crm/commit/9a859c4de3d49674916773d346c60d89ad7febe0 github.com: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-59237-idor-in-prospero-flow-crm-order-api-allows-cross-tenant-read-and-modification-of-orders

Credits

theoffsecgirl Cristian Fernandez Cornejo Xoรกn M. Otero Jorge Secur0 CNA Gustavo Novaro