CVE-2026-52841 in easyappointmentsinfo

Zusammenfassung

von MITRE • 14.07.2026

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Zuständig

GitHub M

Reservieren

08.06.2026

Veröffentlichung

14.07.2026

Moderieren

akzeptiert

Eintrag

VDB-378342

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Do you need the next level of professionalism?

Upgrade your account now!