Description
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
Published: 2026-07-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Authorization Bypass via a user‑controlled key, reflected in the CalendarDeleteEventController of Prospero Flow CRM. The delete endpoint resolves the event record by ID and removes it with no ownership check. As a result, an authenticated attacker can delete any calendar event belonging to other users, leading to loss of data and disruption of schedules. This flaw corresponds to CWE-639 and compromises the integrity of user‑generated content.

Affected Systems

The flaw affects the Roskus Prospero Flow CRM product and is present in all releases earlier than version 5.5.3. The security advisory recommends upgrading to v5.5.3 or later, where the delete handler includes proper authorization checks. The vulnerability is exposed at the HTTP GET path /calendar/event/delete/{id} and requires authenticated access.

Risk and Exploitability

The overall severity is a CVSS score of 6.9, indicating a moderate risk. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only authenticated access and manipulation of the URL path, it is likely to be easy to exploit by any user with valid credentials. The lack of ownership validation allows deletion of events across the platform, leading to integrity violations. Prompt remediation is advised even though the risk is moderate.

Generated by OpenCVE AI on July 3, 2026 at 17:13 UTC.

Remediation

Vendor Solution

Upgrade to version 5.5.3 or higher.


OpenCVE Recommended Actions

  • Upgrade Prospero Flow CRM to version 5.5.3 or later, which applies the required authorization checks.
  • If an immediate upgrade is not possible, modify the delete handler to enforce that Calendar::find($id) is scoped to the authenticated user or their organization before deletion.
  • Validate incoming event IDs to confirm they belong to the current user and restrict the endpoint to roles explicitly authorized to delete events.

Generated by OpenCVE AI on July 3, 2026 at 17:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.
Title Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion
First Time appeared Roskus
Roskus prospero Flow Crm
Weaknesses CWE-639
CPEs cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*
Vendors & Products Roskus
Roskus prospero Flow Crm
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Roskus Prospero Flow Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: Secur0

Published:

Updated: 2026-07-03T12:47:38.445Z

Reserved: 2026-07-03T11:24:39.241Z

Link: CVE-2026-59234

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T17:15:04Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key