Home

Description

Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

PUBLISHED Reserved 2026-07-03 | Published 2026-07-03 | Updated 2026-07-06 | Assigner Secur0




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

1.0.0 (semver) before 5.5.3
affected

Credits

Robert Mihaila finder

Amirreza Fadaeizadeh Bidari finder

Xoan M. Otero Jorge analyst

Secur0 CNA coordinator

Gustavo Novaro remediation developer

References

github.com/...ommit/8c26eed4d80544c30e55448e12a8e999af6d2b70 (Fix commit 8c26eed4 - add user_id ownership check before delete) patch

github.com/Roskus/prospero-flow-crm/releases/tag/v5.5.3 (Release v5.5.3 (fixed version)) release-notes

secur0.com/...allows-deletion-of-other-users-calendar-events related

cve.org (CVE-2026-59234)

nvd.nist.gov (CVE-2026-59234)

Download JSON