Authorization Bypass in Prospero Flow CRM Calendar Management
CVE-2026-59234
6.9MEDIUM
What is CVE-2026-59234?
A vulnerability in Prospero Flow CRM allows remote, authenticated attackers to delete any user's calendar events by manipulating the event ID in the deletion request URL. This occurs because the delete function does not verify if the requester has ownership rights over the calendar event, leading to potential unauthorized data loss across the platform.
Affected Version(s)
Prospero Flow CRM 1.0.0 < 5.5.3
References
CVSS V4
Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Robert Mihaila
Amirreza Fadaeizadeh Bidari
Xoan M. Otero Jorge
Secur0 CNA
Gustavo Novaro
