CVE-2026-59235
Roskus · Prospero Flow CRM
The BankAccountListController in Prospero Flow CRM suffers from a missing authorization flaw, allowing unauthorized users to access sensitive bank account information.
Executive summary
A critical authorization bypass vulnerability in Prospero Flow CRM, CVE-2026-59235, allows unauthorized users to access sensitive financial data without appropriate permissions.
Vulnerability
This is a CWE-639 vulnerability where authorization is bypassed due to user-controlled keys in the BankAccountListController. It allows unauthenticated or low-privileged actors to gain unauthorized access to bank account records.
Business impact
This vulnerability poses a severe risk to data confidentiality, as it facilitates the unauthorized exposure of financial records stored within the CRM. With a CVSS score of 8.7, the potential for data breach and regulatory non-compliance is high. Organizations could face significant reputational damage if sensitive financial information is accessed by unauthorized parties.
Remediation
Immediate Action: Upgrade to version 5.5.3 or higher immediately to apply the required authorization checks.
Proactive Monitoring: Review access logs for the BankAccountListController to identify any abnormal query patterns or access attempts from unauthorized accounts.
Compensating Controls: Utilize network-level access controls or an API gateway to restrict access to sensitive endpoints to authorized networks or known IP ranges.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The vulnerability represents a critical risk to financial data privacy. Administrators must treat this as an urgent patch requirement and move to version 5.5.3 immediately to secure sensitive bank account records.