CVE-2026-52837 in easyappointmentsinfo

Summary

by MITRE • 07/14/2026

Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` — which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links — can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in Easy!Appointments affects versions up to and including 1.5.2 where the booking reschedule functionality exposes sensitive customer data through improper access controls and data sanitization. The specific flaw exists in the `/index.php/booking/reschedule/{appointment_hash}` endpoint which is processed by the Booking::index() method. This endpoint fails to implement proper authentication checks before embedding complete customer records into inline javascript variables, creating a critical information disclosure vulnerability that directly violates security principle of least privilege.

The technical implementation flaw stems from the application's failure to validate user authorization status when serving reschedule requests. The system embeds the entire customer record including all database columns from the `ea_users` table into JavaScript objects without any field-level whitelisting or access control verification. This means that anyone who possesses a valid 12-character appointment hash can retrieve comprehensive personal information about customers, potentially including sensitive details like addresses, phone numbers, email addresses, and other personally identifiable information stored in the database. The vulnerability is classified as CWE-200 Information Exposure and aligns with ATT&CK technique T1213 Data from Information Repositories.

The operational impact of this vulnerability is significant as it allows unauthorized access to customer data through simple means such as reschedule emails, confirmation page URLs, or calendar links that contain the appointment hash in plain text. Attackers can exploit this by simply obtaining a single appointment hash and accessing the reschedule endpoint to extract complete customer records from the database. This creates a persistent risk for organizations using Easy!Appointments where customer privacy and data protection regulations such as GDPR, HIPAA, or PCI DSS may be violated depending on the nature of collected information.

The patch implemented in version 1.6.0 addresses this vulnerability by introducing proper authentication checks and implementing field whitelisting for customer data exposure. Organizations should immediately upgrade to version 1.6.0 or later to remediate this issue, while also reviewing their current deployment for any unauthorized access attempts. Additional mitigations include monitoring for unusual access patterns to reschedule endpoints and ensuring that appointment hashes are properly secured in email communications and URL parameters. The vulnerability demonstrates the critical importance of implementing proper access controls and data sanitization practices in web applications, particularly those handling personal information.

Responsible

GitHub M

Reservation

06/08/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!