Appointment Scheduling Flaw in Easy!Appointments by Alex Tselegidis
CVE-2026-52839

3.3LOW

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-52839?

Easy!Appointments, a self-hosted appointment scheduling software, exhibits a vulnerability whereby authenticated providers can inadvertently alter appointments of other providers without proper verification. Specifically, while version 1.6.0 correctly filters provider-specific appointments in the appointments/search endpoint, the mutation endpoints appointments/store and appointments/update fail to validate if the id_users_provider belongs to the current session. This oversight enables malicious users to inject new appointments into a different provider's schedule or reassign existing ones. Additionally, a flaw exists where the unauthorized changes are committed to the database before the controller encounters an error, resulting in the persistence of unauthorized appointments even after the failure message is returned to the attacker. This critical issue was resolved in version 1.6.0.

Affected Version(s)

easyappointments < 1.6.0

References

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.