CVE-2026-52841 in easyappointments
Summary
by MITRE • 07/14/2026
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability in Easy!Appointments prior to version 1.6.0 represents a critical access control flaw that enables unauthorized users to hijack Google calendar synchronization for other users within the system. This issue stems from improper validation of provider ownership during the OAuth authentication process, creating a privilege escalation vector that allows malicious actors to manipulate calendar data across different user accounts.
The technical implementation resides in the Google OAuth controller at application/controllers/Google.php line 278 where the system stores URL-supplied provider_id values directly into user sessions without adequate verification. This design flaw creates a session manipulation opportunity where any authenticated user can potentially access and modify another user's Google calendar synchronization settings. The oauth_callback function subsequently processes the issued Google OAuth token against the stored provider_id without performing ownership validation checks, effectively allowing arbitrary reassignment of calendar sync permissions.
This vulnerability operates under the CWE-285 access control weakness category, specifically manifesting as improper authorization in the authentication flow. Attackers can exploit this by leveraging their own Google account credentials to claim ownership of another user's calendar synchronization settings. The operational impact extends beyond simple data exposure, as the compromised calendar entries contain sensitive customer information including names and email addresses that are automatically attached as attendee data during appointment synchronization. This creates a significant privacy breach risk for organizations using Easy!Appointments for healthcare, legal, or other sensitive service sectors.
The security implications of this vulnerability align with ATT&CK technique T1566.002 for credential harvesting and T1078.004 for valid accounts exploitation. Any logged-in backend user regardless of their role—whether administrator, provider, or secretary—can perform this reassignment, making it particularly dangerous in multi-user environments where access controls are expected to be enforced. The patch implemented in version 1.6.0 addresses this by introducing proper ownership validation checks that verify the authenticated user has legitimate permissions to modify the target provider's calendar settings before allowing synchronization reconfiguration.
Organizations should immediately implement the version 1.6.0 update and conduct thorough security audits of their Easy!Appointments installations to ensure all users have appropriate access controls. Additional mitigations include implementing role-based access controls, monitoring for unauthorized calendar sync modifications, and conducting regular penetration testing to identify similar authentication bypass vulnerabilities in custom applications that handle third-party authentication flows. The vulnerability demonstrates the critical importance of validating user permissions at every step of authentication processes, particularly when dealing with sensitive data synchronization operations involving external services like Google Calendar.