Skip to content
CVE-2026-59237 ·
Medium · July 16, 2026

IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders

S0
Secur0 CNA
CVE-2026-59237

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in the Order and OrderItem REST API controllers (OrderReadController, OrderUpdateController, OrderItemReadController, OrderItemUpdateController, and OrderItemDeleteController, under app/Http/Controllers/Api/Order/), exposed at GET /api/order/{id}, PUT /api/order/{id}, GET /api/order-item/{id}, PUT /api/order-item/{id}, and DELETE /api/order-item/{id}, in Prospero Flow CRM <5.5.3, which allows a remote, authenticated attacker to read, modify, and delete orders and order items belonging to any other company (tenant) by supplying a sequential numeric {id}, because the controllers resolve records with Order::find($id) / Item::find($id) without scoping by company, unlike OrderDeleteController, which filters by where('company_id', Auth::user()->company_id). The read path discloses third-party customer PII (name, email, phone, VAT, full address, and geolocation), seller and company data, and the unsanitized signature_html field, while the write path allows tampering with order amounts and status. Because order IDs are sequential integers with no rate limiting, an attacker can enumerate and exfiltrate or alter records across every tenant on the instance. This results in cross-tenant disclosure and modification of sensitive personal and business data, breaking the tenant isolation of the multi-company platform.

Vulnerability type (CWE)

CWE-639: Authorization Bypass Through User-Controlled Key

Affected versions

Prospero Flow CRM after 4.6.0 and before 5.5.3. The vulnerable Order and OrderItem API endpoints were introduced after 4.6.0 and fixed before the 5.5.3 tag, so no tagged release shipped vulnerable. Default status: unaffected.

Score (CVSS 4.0)

High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Solution

Upgrade to version 5.5.3 or higher.

Patch

Commit 9a859c4d

Credits

  • theoffsecgirl - finder
  • Cristian Fernandez Cornejo - analyst
  • Xoán M. Otero Jorge - analyst
  • Secur0 CNA - coordinator
  • Gustavo Novaro - remediation developer Discovery source: External Official record: CVE-2026-59237