Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
Advisories
No advisories yet.
Fixes
Solution
Upgrade to version 5.5.3 or higher.
Workaround
No workaround given by the vendor.
References
History
Fri, 03 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform. | |
| Title | Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion | |
| First Time appeared |
Roskus
Roskus prospero Flow Crm |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roskus
Roskus prospero Flow Crm |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Secur0
Published:
Updated: 2026-07-03T12:47:38.445Z
Reserved: 2026-07-03T11:24:39.241Z
Link: CVE-2026-59234
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses