CVE-2026-59236 in Prospero Flow CRMinfo

Summary

by MITRE • 07/15/2026

Authorization Bypass Through User-Controlled Key (CWE-639) in the Excel import handlers (CustomerImport, LeadImport, ProductImport) in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company's tenant via a spreadsheet whose company_id column points to the victim tenant, uploaded to POST /customer/import/excel/save, which maps company_id directly from the file and performs no check that it matches the authenticated user's company.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability represents a critical authorization bypass flaw classified as CWE-639, which specifically addresses authorization bypass through user-controlled keys in software applications. The vulnerability exists within the Excel import functionality of Roskus Prospero Flow CRM version 5.14.0 and earlier, affecting three distinct import handlers: CustomerImport, LeadImport, and ProductImport. These components process spreadsheet data through the POST /customer/import/excel/save endpoint, creating a pathway for malicious exploitation that undermines the fundamental multi-tenant security architecture of the platform.

The technical implementation of this vulnerability stems from the lack of proper validation mechanisms within the import processing logic. When users upload Excel files containing customer, lead, or product data, the system directly maps the company_id field from the imported spreadsheet to the database records without performing any authorization checks against the authenticated user's company affiliation. This direct mapping approach bypasses all normal access control mechanisms that should prevent users from creating records in tenants they do not belong to, effectively allowing cross-tenant data manipulation.

The operational impact of this vulnerability is severe and multifaceted, particularly within multi-tenant environments where data isolation is paramount for maintaining customer privacy and security. An authenticated user with any role can exploit this weakness to inject records into another company's tenant simply by crafting an Excel file that references the target company's identifier. This creates a persistent threat vector that could enable data leakage, manipulation of competitor information, or unauthorized access to sensitive business data belonging to other organizations sharing the same platform instance.

The vulnerability aligns with several ATT&CK framework techniques including T1078 Valid Accounts for initial access and T1566 Phishing for credential compromise, though the core issue lies in the lack of proper authorization controls during data import operations. Organizations implementing this CRM system face significant risks including potential data breaches, regulatory compliance violations, and reputational damage when third-party vendors or malicious insiders exploit this weakness to gain unauthorized access to competing organizations' data within the same tenant environment.

Effective mitigations for this vulnerability require immediate implementation of strict input validation and authorization checking mechanisms within the import handlers. The system must validate that any company_id values present in imported files match the authenticated user's company identifier before creating any database records. Additionally, comprehensive logging and monitoring should be implemented to detect anomalous import activities that may indicate exploitation attempts. The fix should also include proper separation of concerns between data validation and data persistence operations to ensure that all external data inputs undergo rigorous authorization verification before being processed by the system.

The vulnerability demonstrates a classic failure in secure coding practices where the principle of least privilege is not properly enforced during data import operations. This type of flaw often occurs when developers assume that user authentication provides sufficient protection without considering that imported data may contain malicious or unauthorized references to other tenants. Implementing proper access control checks at the point of data ingestion, rather than relying on trust in external data sources, would effectively prevent this class of vulnerability from occurring in similar applications.

Organizations using Roskus Prospero Flow CRM should urgently upgrade to version 5.14.0 or later where this authorization bypass has been addressed through proper validation of company_id fields during import operations. Security teams should also conduct thorough audits of all data import mechanisms within their systems to identify and remediate similar vulnerabilities that may exist in other components handling external data inputs. The incident highlights the critical importance of implementing robust input validation and access control checks, particularly for operations involving data ingestion from untrusted sources within multi-tenant environments where data isolation is essential for maintaining security boundaries between customer tenants.

Responsible

Secur0

Reservation

07/03/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!