{"id":"CVE-2026-59234","summary":"Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion","details":"Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u003edelete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.","modified":"2026-07-15T01:49:11.122781574Z","published":"2026-07-03T12:47:38.445Z","database_specific":{"cna_assigner":"Secur0","cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59234.json"},"references":[{"type":"WEB","url":"https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59234.json"},{"type":"ADVISORY","url":"https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59234"},{"type":"FIX","url":"https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70"},{"type":"PACKAGE","url":"https://github.com/Roskus/prospero-flow-crm"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roskus/prospero-flow-crm","events":[{"introduced":"ee6dff95b0f396858c3e86e8988cd0ebed363c5d"},{"fixed":"584f315878b8366244c95fe3cb016b3a63f05db8"}],"database_specific":{"extracted_events":[{"introduced":"1.0.0"},{"fixed":"5.5.3"}],"source":"AFFECTED_FIELD"}}],"versions":["v4.6.0","v2.0.1","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59234.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"}]}