CVE-2026-59234
MediumCVSS 6.9Summary
A vulnerability in Prospero Flow CRM before version 5.5.3 allows an authenticated attacker to delete arbitrary calendar events of other users by manipulating the {id} parameter in a GET request to /calendar/event/delete/{id}. The lack of ownership checks (user_id/company_id) before deletion enables unauthorized data destruction.
Risk Assessment
The organization faces loss of calendar data integrity, potentially disrupting team planning and collaboration, as well as confidentiality breaches by exposing other users' schedules.
Recommendation
Immediately upgrade Prospero Flow CRM to version 5.5.3 or later, which includes a fix for this vulnerability. Additionally, implement access control checks at the application level for all resource operations.
Original NVD description (English source)
Authorization Bypass Through User-Controlled Key (CWE-639) in CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at GET /calendar/event/delete/{id}, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calendar events belonging to other users by manipulating the {id} path parameter, because the delete handler resolves the record with Calendar::find($id)->delete() and performs no ownership check (no user_id/company_id scoping) before deletion. This results in unauthorized destruction of other users' calendar events across the platform.

