Skip to content
CVE-2026-59236 ·
Medium · July 15, 2026

Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection

S0
Secur0 CNA
CVE-2026-59236

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers CustomerImport, LeadImport, and ProductImport (app/Imports/CustomerImport.php, app/Imports/LeadImport.php, app/Imports/ProductImport.php), reachable through POST /customer/import/excel/save and the equivalent lead and product Excel import endpoints, in Prospero Flow CRM <5.14.0, which allows a remote, authenticated attacker of any role or company to create customer, lead, and product records inside another company's tenant by uploading a spreadsheet whose company_id column points to the victim tenant, because the import model maps the value directly from the file ('company_id' => $row['company_id']) and performs no check that it matches the authenticated user's company, unlike the CSV import path, which forces $customer->company_id = Auth::user()->company_id. Because company_id is an incremental integer, victim tenants are trivially enumerable. This results in unauthorized cross-tenant data injection that corrupts other companies' listings, metrics, and campaigns, with no reference to the attacker who created the records.

Vulnerability type (CWE)

CWE-639: Authorization Bypass Through User-Controlled Key

Affected versions

Prospero Flow CRM before 5.14.0 (all versions prior to 5.14.0). The flaw has been present since 1.0.0 and was fixed in 5.14.0. Default status: unaffected.

Score (CVSS 4.0)

Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Solution

Upgrade to version 5.14.0 or higher.

Patch

Commit bdd6c977

Credits

  • Mario Álvarez Fernández (maalfer) - finder
  • Thomas O'Neil Álvarez (thomas.pime) - finder
  • Cristian Fernandez Cornejo - analyst
  • Xoán M. Otero Jorge - analyst
  • Secur0 CNA - coordinator
  • Gustavo Novaro - remediation developer Discovery source: External Official record: CVE-2026-59236