Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
Metrics
Affected Vendors & Products
References
History
Fri, 03 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform. | |
| Title | Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion | |
| First Time appeared |
Roskus
Roskus prospero Flow Crm |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roskus
Roskus prospero Flow Crm |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: Secur0
Published: 2026-07-03T12:47:38.445Z
Updated: 2026-07-03T12:47:38.445Z
Reserved: 2026-07-03T11:24:39.241Z
Link: CVE-2026-59234
No data.
No data.
No data.