CVE-2026-59237
IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.
| CWE | CWE-639 |
| Vendor | roskus |
| Product | prospero flow crm |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for roskus prospero flow crm
Be the first to know when new unknown vulnerabilities affecting roskus prospero flow crm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Roskus / Prospero Flow CRM
4.6.0 < 5.5.3
References
github.com: https://github.com/Roskus/prospero-flow-crm/commit/9a859c4de3d49674916773d346c60d89ad7febe0 github.com: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3 secur0.com: https://secur0.com/en/cna/cve-list/cve-2026-59237-idor-in-prospero-flow-crm-order-api-allows-cross-tenant-read-and-modification-of-orders
Credits
theoffsecgirl Cristian Fernandez Cornejo Xoรกn M. Otero Jorge Secur0 CNA Gustavo Novaro