Skip to main content

Prospero Flow CRM CVE-2026-59236

| EUVDEUVD-2026-44622 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-15 Secur0 GHSA-rpp3-j482-5g39
6.9
CVSS 4.0 · Vendor: Secur0
Share

Severity by source

Vendor (Secur0) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.0 MEDIUM

Authenticated attacker (PR:L) crosses tenant boundary (S:C) achieving low integrity-only impact; no confidentiality or availability effect applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (Secur0).

CVSS VectorVendor: Secur0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 15, 2026 - 11:47 vuln.today
Analysis Generated
Jul 15, 2026 - 11:47 vuln.today

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

AnalysisAI

Cross-tenant record injection in Roskus Prospero Flow CRM before 5.14.0 allows any authenticated user to silently insert customer, lead, and product records into a competing company's tenant by manipulating the company_id field in an uploaded Excel spreadsheet. The three affected import handlers (CustomerImport, LeadImport, ProductImport) map company_id directly from the user-controlled file without verifying it matches the authenticated session's own company, collapsing the multi-tenant data isolation boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to CRM with any valid low-privilege account
Delivery
Identify victim tenant's company_id via enumeration or UI observation
Exploit
Craft Excel spreadsheet with company_id column set to victim tenant's ID
Execution
Upload spreadsheet to POST /customer/import/excel/save
Persist
Server maps company_id from file with no ownership check
Impact
Records injected into victim tenant's data namespace

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session in any user role within a Prospero Flow CRM instance before version 5.14.0 - the CVE description confirms 'any role or company' is sufficient, meaning the lowest-privileged non-admin account qualifies (the provided CVSS 4.0 vector's PR:N is a scoring error contradicting this requirement). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector lists PR:N (no privileges required), which directly conflicts with the CVE description, which explicitly states exploitation requires 'a remote, authenticated user of any role or company' - this is a confirmed CVSS scoring error that overstates the unauthenticated attack surface and must not be used for risk-tier decisions without correction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user at Company A constructs an Excel spreadsheet in which the company_id column is populated with Company B's tenant identifier - obtainable by observing the application UI, enumerating integer IDs, or through prior legitimate access - and uploads it to the CRM's customer import endpoint. The server maps company_id directly from the file and creates the specified customer, lead, or product records within Company B's data namespace with no ownership check, silently polluting their CRM data. …
Remediation Upgrade to Prospero Flow CRM version 5.14.0 or later, which resolves the vulnerability by replacing $row['company_id'] with Auth::user()->company_id in all three import handlers (patch commit bdd6c9770a7435a45f0411154671b8a3e94dcdaa, available at https://github.com/Roskus/prospero-flow-crm/commit/bdd6c9770a7435a45f0411154671b8a3e94dcdaa; tagged release at https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.14.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy