CVE-2026-52841
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Summary
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, Google::oauth at application/controllers/Google.php:278 stores its URL-supplied provider_id in the session, and oauth_callback saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| alextselegidis | easyappointments | < 1.6.0 | affected |
Weaknesses
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-8hm4-r66f-29wr
- https://github.com/alextselegidis/easyappointments/commit/4b2d245d2cd2058dc76e05f6eb65b26699268471
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.