Auth bypass in Roskus Prospero Flow Crm

CVE-2026-59237

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belo…

Vulnerability class: IDOR (Insecure Direct Object Reference)

Affected products

Weakness classification (CWE)

References