Appointment Scheduling Flaw in Easy!Appointments by Alex Tselegidis
CVE-2026-52839
What is CVE-2026-52839?
Easy!Appointments, a self-hosted appointment scheduling software, exhibits a vulnerability whereby authenticated providers can inadvertently alter appointments of other providers without proper verification. Specifically, while version 1.6.0 correctly filters provider-specific appointments in the appointments/search endpoint, the mutation endpoints appointments/store and appointments/update fail to validate if the id_users_provider belongs to the current session. This oversight enables malicious users to inject new appointments into a different provider's schedule or reassign existing ones. Additionally, a flaw exists where the unauthorized changes are committed to the database before the controller encounters an error, resulting in the persistence of unauthorized appointments even after the failure message is returned to the attacker. This critical issue was resolved in version 1.6.0.
Affected Version(s)
easyappointments < 1.6.0
