CVE-2026-52841 PUBLISHED

Easy!Appointments: Authorization bypass in Google OAuth provider binding lets any backend user rebind a peer provider's Google sync

Assigner: GitHub_M
Reserved: 08.06.2026 Published: 14.07.2026 Updated: 14.07.2026

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, Google::oauth at application/controllers/Google.php:278 stores its URL-supplied provider_id in the session, and oauth_callback saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 3.1

Product Status

Vendor alextselegidis
Product easyappointments
Versions
  • Version < 1.6.0 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE