PatchSiren cyber security CVE debrief
CVE-2026-59237 Roskus CVE debrief
CVE-2026-59237 is an authorization bypass vulnerability in Roskus Prospero Flow CRM before 5.5.3. A remote, authenticated user can read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}. The vulnerability exists because the Order and OrderItem REST API controllers resolve records with Order::find($id) / Item::find($id) without scoping by the authenticated user's company.
- Vendor
- Roskus
- Product
- Prospero Flow CRM
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Organizations using Roskus Prospero Flow CRM before version 5.5.3 should prioritize patching this vulnerability to prevent potential unauthorized access to sensitive order and order item data.
Technical summary
The vulnerability is caused by the lack of proper authorization checks in the Order and OrderItem REST API controllers. Specifically, the controllers use Order::find($id) / Item::find($id) to retrieve records without considering the authenticated user's company scope. This allows an authenticated user to access, modify, or delete orders and order items belonging to other companies (tenants) by providing a sequential numeric {id}.
Defensive priority
High
Recommended defensive actions
- Apply the patch: Upgrade to Roskus Prospero Flow CRM version 5.5.3 or later.
- Inventory and monitor: Verify that all instances of Roskus Prospero Flow CRM are up-to-date and monitor for suspicious activity.
- Implement compensating controls: Consider implementing additional authorization checks and monitoring to detect potential exploitation attempts.
- Review CVE and vendor advisories for accurate affected versions and scope.
- Check for existing exposure by reviewing logs and monitoring for unusual activity.
- Perform asset inventory to identify all instances of Roskus Prospero Flow CRM.
- Track exceptions and retest remediated assets to ensure patching was successful.
Evidence notes
The CVE record was published on 2026-07-16T15:16:34.730Z and has not been modified since then. The NVD entry is currently Deferred. There is limited evidence available to confirm affected deployments and scope. Defenders should verify the official CVE record and vendor advisory for accurate details. The vulnerability exists in Roskus Prospero Flow CRM before version 5.5.3. Authenticated users may be able to read, modify, or delete orders and order items from other companies due to inadequate authorization checks in the Order and OrderItem REST API controllers.
Official resources
-
CVE-2026-59237 CVE record
CVE.org
-
CVE-2026-59237 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
4daa8cea-433a-44bd-9456-53b127fc289a
-
Source reference
4daa8cea-433a-44bd-9456-53b127fc289a
-
Source reference
4daa8cea-433a-44bd-9456-53b127fc289a
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T15:16:34.730Z and has not been modified since then. The NVD entry is currently Deferred.