Unknown · Prospero Flow Crm · CVE-2026-59235
**Name of the Vulnerable Software and Affected Versions**
Prospero Flow CRM versions prior to 5.5.3
**Description**
An authorization flaw exists in the `BankAccountListController` (app/Http/Controllers/Api/BankAccount/BankAccountListController.php) at the GET '/api/bank-account' endpoint. A remote, authenticated attacker with a low-privileged role, such as User, can read arbitrary bank account records belonging to their company. This occurs because the API route is protected only by the `auth:api` middleware and lacks a permission gate, unlike the web route which enforces the `can('read bank')` check. The handler uses `Account::where('company id', Auth::user()->company id)->get()`, which only applies company scoping without verifying the user's role or permissions. This leads to the unauthorized disclosure of sensitive banking data, including IBAN, SWIFT/BIC, and account identifiers.
**Recommendations**
Update Prospero Flow CRM to version 5.5.3 or later.
As a temporary mitigation, restrict access to the '/api/bank-account' endpoint to only authorized administrative roles.