Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Upgrade to version 5.5.3 or higher.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker holding a low-privileged role (e.g. the "User"/"Usuario" role) to read arbitrary bank account records belonging to their company by sending an authenticated request to the endpoint with a valid bearer token, because the API route is protected only by the auth:api middleware and carries no permission gate, unlike the equivalent web route, which enforces can('read bank'), and the handler resolves records with Account::where('company_id', Auth::user()->company_id)->get(), performing only company scoping and no role or permission check before returning the data. This results in the unauthorized disclosure of sensitive banking information (e.g. IBAN, SWIFT/BIC, account identifiers) to users who should not have access to it. | |
| Title | Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts | |
| First Time appeared |
Roskus
Roskus prospero Flow Crm |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Roskus
Roskus prospero Flow Crm |
|
| References |
|
|
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: Secur0
Published:
Updated: 2026-07-15T12:23:58.603Z
Reserved: 2026-07-03T11:24:39.242Z
Link: CVE-2026-59235
Updated: 2026-07-15T12:23:54.807Z
No data.
No data.
OpenCVE Enrichment
No data.