{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "1.0.0"
              },
              {
                "fixed": "5.5.3"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "ee6dff95b0f396858c3e86e8988cd0ebed363c5d"
            },
            {
              "fixed": "584f315878b8366244c95fe3cb016b3a63f05db8"
            }
          ],
          "repo": "https://github.com/roskus/prospero-flow-crm",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Secur0",
    "cwe_ids": [
      "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59234.json"
  },
  "details": "Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)-\u003edelete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.",
  "id": "CVE-2026-59234",
  "modified": "2026-07-15T01:49:11.122781574Z",
  "published": "2026-07-03T12:47:38.445Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://secur0.com/en/cna/cve-list/cve-2026-59234-idor-in-prospero-flow-crm-allows-deletion-of-other-users-calendar-events"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59234.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59234"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Roskus/prospero-flow-crm/commit/8c26eed4d80544c30e55448e12a8e999af6d2b70"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Roskus/prospero-flow-crm"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion"
}