CVE-2026-59235

Roskus · Prospero Flow CRM

The BankAccountListController in Prospero Flow CRM suffers from a missing authorization flaw, allowing unauthorized users to access sensitive bank account information.

Executive summary

A critical authorization bypass vulnerability in Prospero Flow CRM, CVE-2026-59235, allows unauthorized users to access sensitive financial data without appropriate permissions.

Vulnerability

This is a CWE-639 vulnerability where authorization is bypassed due to user-controlled keys in the BankAccountListController. It allows unauthenticated or low-privileged actors to gain unauthorized access to bank account records.

Business impact

This vulnerability poses a severe risk to data confidentiality, as it facilitates the unauthorized exposure of financial records stored within the CRM. With a CVSS score of 8.7, the potential for data breach and regulatory non-compliance is high. Organizations could face significant reputational damage if sensitive financial information is accessed by unauthorized parties.

Remediation

Immediate Action: Upgrade to version 5.5.3 or higher immediately to apply the required authorization checks.

Proactive Monitoring: Review access logs for the BankAccountListController to identify any abnormal query patterns or access attempts from unauthorized accounts.

Compensating Controls: Utilize network-level access controls or an API gateway to restrict access to sensitive endpoints to authorized networks or known IP ranges.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The vulnerability represents a critical risk to financial data privacy. Administrators must treat this as an urgent patch requirement and move to version 5.5.3 immediately to secure sensitive bank account records.