Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-59234

Summary
Assigner-Secur0
Assigner Org ID-4daa8cea-433a-44bd-9456-53b127fc289a
Published At-03 Jul, 2026 | 12:47
Updated At-03 Jul, 2026 | 12:47
Rejected At-
Credits

Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Secur0
Assigner Org ID:4daa8cea-433a-44bd-9456-53b127fc289a
Published At:03 Jul, 2026 | 12:47
Updated At:03 Jul, 2026 | 12:47
Rejected At:
▼CVE Numbering Authority (CNA)
Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

Affected Products
Vendor
Roskus
Product
Prospero Flow CRM
Collection URL
https://github.com/Roskus/prospero-flow-crm
Repo
https://github.com/Roskus/prospero-flow-crm
CPEs
  • cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*
Program Files
  • app/Http/Controllers/Calendar/CalendarDeleteEventController.php
Default Status
unaffected
Versions
Affected
  • From 1.0.0 before 5.5.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639 Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639 Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-77CAPEC-77 Manipulating User-Controlled Variables
CAPEC ID: CAPEC-77
Description: CAPEC-77 Manipulating User-Controlled Variables
Solutions

Upgrade to version 5.5.3 or higher.

Configurations

Workarounds

Exploits

Credits

finder
Robert Mihaila
finder
Amirreza Fadaeizadeh Bidari
analyst
Xoan M. Otero Jorge
coordinator
Secur0 CNA
remediation developer
Gustavo Novaro
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
patch
https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
release-notes
https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
related
Hyperlink: https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
Resource:
patch
Hyperlink: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
Resource:
release-notes
Hyperlink: https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
Resource:
related
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:4daa8cea-433a-44bd-9456-53b127fc289a
Published At:03 Jul, 2026 | 13:17
Updated At:03 Jul, 2026 | 13:17

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-639Secondary4daa8cea-433a-44bd-9456-53b127fc289a
CWE ID: CWE-639
Type: Secondary
Source: 4daa8cea-433a-44bd-9456-53b127fc289a
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b704daa8cea-433a-44bd-9456-53b127fc289a
N/A
https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.34daa8cea-433a-44bd-9456-53b127fc289a
N/A
https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events4daa8cea-433a-44bd-9456-53b127fc289a
N/A
Hyperlink: https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
Source: 4daa8cea-433a-44bd-9456-53b127fc289a
Resource: N/A
Hyperlink: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
Source: 4daa8cea-433a-44bd-9456-53b127fc289a
Resource: N/A
Hyperlink: https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
Source: 4daa8cea-433a-44bd-9456-53b127fc289a
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found

CVE-2025-3536
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.58% / 43.50%
||
7 Day CHG~0.00%
Published-13 Apr, 2025 | 11:31
Updated-05 Jun, 2025 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutorials-Website Employee Management System delete-user.php improper authorization

A vulnerability was found in Tutorials-Website Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete-user.php. The manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-tutorials-websiteTutorials-Website
Product-employee_management_systemEmployee Management System
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2025-31360
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.44% / 35.33%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 21:48
Updated-12 Nov, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Growatt Cloud portal Authorization Bypass Through User-Controlled Key

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.

Action-Not Available
Vendor-growattGrowatt
Product-cloud_portalCloud portal
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
Details not found