MEDIUM
Roskus
CVE published 2026-07-16
CVE-2026-59237
CVE-2026-59237 is an authorization bypass vulnerability in Roskus Prospero Flow CRM before 5.5.3. A remote, authenticated user can read, modify, and delete orders and order items belonging to any other company (tenant) via a sequential numeric {id} supplied to GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, or DELETE /api/order-item/{id}. The vulnerability exi [truncated]