PT-2026-55537 · Unknown · Prospero Flow Crm

Gustavo Novaro

+2

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-59234

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Prospero Flow CRM versions prior to 5.5.3
Description An authorization bypass exists in the CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php) via the GET '/calendar/event/delete/{id}' endpoint. A remote, authenticated attacker can delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter. This occurs because the delete handler uses the Calendar::find($id)->delete() function without performing ownership checks, such as scoping by user id or company id, leading to unauthorized destruction of data across the platform.
Recommendations Update Prospero Flow CRM to version 5.5.3 or later. As a temporary mitigation, restrict access to the '/calendar/event/delete/{id}' endpoint.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59234

Affected Products

Prospero Flow Crm