CVE-2026-52841
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php
CVSS
3.1
Bajo
EPSS
0.1%
p3
KEV
—
Exploit Today
1
0-100
Publicado: 14 jul 2026 · Última mod.: 14 jul 2026 · CWE-639
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.
- github.comhttps://github.com/alextselegidis/easyappointments/commit/4b2d245d2cd2058dc76e05f6eb65b26699268471
- github.comhttps://github.com/alextselegidis/easyappointments/security/advisories/GHSA-8hm4-r66f-29wr
- github.comhttps://github.com/alextselegidis/easyappointments/security/advisories/GHSA-8hm4-r66f-29wr