Back to overview

CVE-2026-52841

LOW
3.1
CVSS 3.1
Description
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.

Metadata

CVE ID
CVE-2026-52841
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-08 18:41 UTC
Published
2026-07-14 15:27 UTC
Last updated
2026-07-14 15:45 UTC
Primary CWE
CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product
alextselegidis / easyappointments
Sources
cve.org  ·  NVD

Severity & Metrics

3.1 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
alextselegidis easyappointments < 1.6.0
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639: Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.1 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
References (2)
Back to overview