CVE-2026-52840 in easyappointmentsinfo

Summary

by MITRE • 07/14/2026

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Caldav::connect_to_server` at `application/controllers/Caldav.php:60` hands the request's `caldav_url` to a Guzzle `REPORT` call without scheme or host validation. A logged-in backend user (admin, provider, or secretary) reaches loopback, RFC1918, and link-local hosts on the deployment's network. The Guzzle exception path returns the upstream status code plus ~120 bytes of response body in the JSON `message` field (`Caldav.php:74-78`), so the SSRF is semi-blind. Version 1.6.0 contains a patch.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability exists within Easy!Appointments version 1.6.0 and earlier, specifically in the Caldav.php controller file where the `Caldav::connect_to_server` function processes user-provided caldav_url parameters. This function directly passes the input parameter to a Guzzle HTTP client REPORT request without any validation of the URL scheme or host components. The flaw creates a server-side request forgery vulnerability that allows authenticated users with administrative, provider, or secretary roles to make requests to internal network services. Attackers can leverage this vulnerability to access loopback addresses, private RFC1918 ranges, and link-local addresses that are typically not directly accessible from the internet but exist within the deployment's network infrastructure.

The technical implementation of this vulnerability stems from improper input validation at the application layer where user-supplied URLs are blindly forwarded to external services without proper sanitization or verification. When the Guzzle client makes the REPORT request, it follows the full URL provided by the attacker, including any internal network addresses that might be accessible from within the server's network context. The HTTP response handling in this vulnerable version returns the upstream status code along with approximately 120 bytes of response body data directly into the JSON message field of the application's response, creating a semi-blind attack vector where attackers can infer information about internal services based on response characteristics.

This vulnerability has significant operational impact as it provides authenticated users with the ability to perform reconnaissance and potentially exploit internal network services that should normally be isolated from external access. The semi-blind nature of the attack means that while full responses are not directly exposed, enough information is leaked through status codes and limited response bodies to enable attackers to determine service availability, basic configuration details, or even identify specific vulnerabilities in internal systems. The fact that this affects administrative roles makes it particularly dangerous as these users typically have elevated privileges within the application and could potentially use this vector to escalate their access further.

The vulnerability aligns with CWE-918 which describes server-side request forgery issues where applications fail to validate external URLs, and maps to ATT&CK technique T1105 for remote service access. Organizations should immediately upgrade to version 1.6.0 or later where the patch has been implemented to prevent unvalidated URL forwarding. Additional mitigations include implementing strict URL validation at the application level, restricting outbound network connections from the web server, and employing network segmentation to isolate internal services from direct web exposure. The patch in version 1.6.0 likely includes proper URL scheme and host validation checks that ensure only legitimate external URLs are processed by the Caldav functionality, thereby preventing attackers from crafting malicious requests that could access internal resources through this interface.

Responsible

GitHub M

Reservation

06/08/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!