Auth bypass in Roskus Prospero Flow Crm
CVE-2026-59235
Missing Authorization (CWE-862) in BankAccountListController (app/Http/Controllers/Api/BankAccount/BankAccountListController.php), exposed at GET /api/bank-account, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker…
Vulnerability class: IDOR (Insecure Direct Object Reference)
Affected products
- Roskus Prospero Flow Crm — versions 4.6.0
Weakness classification (CWE)
References
- 4daa8cea-433a-44bd-9456-53b127fc289a (patch)
- 4daa8cea-433a-44bd-9456-53b127fc289a (release-notes)
- 4daa8cea-433a-44bd-9456-53b127fc289a (technical-description)