PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59237 Roskus CVE debrief

CVE-2026-59237 is an authorization bypass vulnerability in Roskus Prospero Flow CRM before 5.5.3. A remote, authenticated user can read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}. The vulnerability exists because the Order and OrderItem REST API controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.

Vendor
Roskus
Product
Prospero Flow CRM
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Organizations using Roskus Prospero Flow CRM before version 5.5.3 should prioritize patching this vulnerability to prevent potential unauthorized access to sensitive order and order item data.

Technical summary

The vulnerability is caused by the lack of proper authorization checks in the Order and OrderItem REST API controllers. Specifically, the controllers use Order::find($id) / Item::find($id) to retrieve records without considering the authenticated user's company scope. This allows an authenticated user to access, modify, or delete orders and order items belonging to other companies (tenants) by providing a sequential numeric {id}.

Defensive priority

High

Recommended defensive actions

  • Apply the patch: Upgrade to Roskus Prospero Flow CRM version 5.5.3 or later.
  • Inventory and monitor: Verify that all instances of Roskus Prospero Flow CRM are up-to-date and monitor for suspicious activity.
  • Implement compensating controls: Consider implementing additional authorization checks and monitoring to detect potential exploitation attempts.
  • Review CVE and vendor advisories for accurate affected versions and scope.
  • Check for existing exposure by reviewing logs and monitoring for unusual activity.
  • Perform asset inventory to identify all instances of Roskus Prospero Flow CRM.
  • Track exceptions and retest remediated assets to ensure patching was successful.

Evidence notes

The CVE record was published on 2026-07-16T15:16:34.730Z and has not been modified since then. The NVD entry is currently Deferred. There is limited evidence available to confirm affected deployments and scope. Defenders should verify the official CVE record and vendor advisory for accurate details. The vulnerability exists in Roskus Prospero Flow CRM before version 5.5.3. Authenticated users may be able to read, modify, or delete orders and order items from other companies due to inadequate authorization checks in the Order and OrderItem REST API controllers.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T15:16:34.730Z and has not been modified since then. The NVD entry is currently Deferred.