Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-59234
PUBLISHED
More InfoOfficial Page
Assigner-Secur0
Assigner Org ID-4daa8cea-433a-44bd-9456-53b127fc289a
View Known Exploited Vulnerability (KEV) details
Published At-03 Jul, 2026 | 12:47
Updated At-03 Jul, 2026 | 12:47
Rejected At-
▼CVE Numbering Authority (CNA)
Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

Affected Products
Vendor
Roskus
Product
Prospero Flow CRM
Collection URL
https://github.com/Roskus/prospero-flow-crm
Repo
https://github.com/Roskus/prospero-flow-crm
CPEs
  • cpe:2.3:a:roskus:prospero_flow_crm:*:*:*:*:*:*:*:*
Program Files
  • app/Http/Controllers/Calendar/CalendarDeleteEventController.php
Default Status
unaffected
Versions
Affected
  • From 1.0.0 before 5.5.3 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639 Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: CWE-639 Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-77CAPEC-77 Manipulating User-Controlled Variables
CAPEC ID: CAPEC-77
Description: CAPEC-77 Manipulating User-Controlled Variables
Solutions

Upgrade to version 5.5.3 or higher.

Configurations

Workarounds

Exploits

Credits

finder
Robert Mihaila
finder
Amirreza Fadaeizadeh Bidari
analyst
Xoan M. Otero Jorge
coordinator
Secur0 CNA
remediation developer
Gustavo Novaro
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
patch
https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
release-notes
https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
related
Hyperlink: https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70
Resource:
patch
Hyperlink: https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3
Resource:
release-notes
Hyperlink: https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events
Resource:
related
Details not found