Authorization bypass in Prospero Flow CRM Excel import allows cross-tenant record injection
Description
Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers CustomerImport, LeadImport, and ProductImport (app/Imports/CustomerImport.php, app/Imports/LeadImport.php, app/Imports/ProductImport.php), reachable through POST /customer/import/excel/save and the equivalent lead and product Excel import endpoints, in Prospero Flow CRM <5.14.0, which allows a remote, authenticated attacker of any role or company to create customer, lead, and product records inside another company's tenant by uploading a spreadsheet whose company_id column points to the victim tenant, because the import model maps the value directly from the file ('company_id' => $row['company_id']) and performs no check that it matches the authenticated user's company, unlike the CSV import path, which forces $customer->company_id = Auth::user()->company_id. Because company_id is an incremental integer, victim tenants are trivially enumerable. This results in unauthorized cross-tenant data injection that corrupts other companies' listings, metrics, and campaigns, with no reference to the attacker who created the records.
Vulnerability type (CWE)
CWE-639: Authorization Bypass Through User-Controlled Key
Affected versions
Prospero Flow CRM before 5.14.0 (all versions prior to 5.14.0). The flaw has been present since 1.0.0 and was fixed in 5.14.0. Default status: unaffected.
Score (CVSS 4.0)
Medium
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Solution
Upgrade to version 5.14.0 or higher.
Patch
Commit bdd6c977
Credits
- Mario Álvarez Fernández (maalfer) - finder
- Thomas O'Neil Álvarez (thomas.pime) - finder
- Cristian Fernandez Cornejo - analyst
- Xoán M. Otero Jorge - analyst
- Secur0 CNA - coordinator
- Gustavo Novaro - remediation developer Discovery source: External Official record: CVE-2026-59236