Session Management Vulnerability in Easy!Appointments by Alex Tselegidis
CVE-2026-52841
3.1LOW
What is CVE-2026-52841?
A session management vulnerability exists in Easy!Appointments prior to version 1.6.0, which allows logged-in users to exploit Google OAuth token handling. Specifically, the application stores the URL-supplied provider_id without verifying the owner's authenticity. This flaw enables a backend user, whether an admin or secretary, to reassign a peer's Google sync to a Google account they control. Consequently, the attacker gains access to another user's appointments, which include customers' names and email addresses, effectively compromising their privacy. Version 1.6.0 addresses this issue.
Affected Version(s)
easyappointments < 1.6.0
