Description
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
Vendor Solution
Upgrade to version 5.5.3 or higher.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 03 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform. | |
| Title | Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion | |
| First Time appeared |
Roskus
Roskus prospero Flow Crm |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roskus
Roskus prospero Flow Crm |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: Secur0
Published:
Updated: 2026-07-03T12:47:38.445Z
Reserved: 2026-07-03T11:24:39.241Z
Link: CVE-2026-59234
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses