Session Management Vulnerability in Easy!Appointments by Alex Tselegidis
CVE-2026-52841

3.1LOW

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-52841?

A session management vulnerability exists in Easy!Appointments prior to version 1.6.0, which allows logged-in users to exploit Google OAuth token handling. Specifically, the application stores the URL-supplied provider_id without verifying the owner's authenticity. This flaw enables a backend user, whether an admin or secretary, to reassign a peer's Google sync to a Google account they control. Consequently, the attacker gains access to another user's appointments, which include customers' names and email addresses, effectively compromising their privacy. Version 1.6.0 addresses this issue.

Affected Version(s)

easyappointments < 1.6.0

References

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.