Home

Description

Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.

PUBLISHED Reserved 2026-06-08 | Published 2026-07-14 | Updated 2026-07-14 | Assigner GitHub_M




LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 1.6.0
affected

References

github.com/...tments/security/advisories/GHSA-8hm4-r66f-29wr exploit

github.com/...tments/security/advisories/GHSA-8hm4-r66f-29wr

github.com/...ommit/4b2d245d2cd2058dc76e05f6eb65b26699268471

cve.org (CVE-2026-52841)

nvd.nist.gov (CVE-2026-52841)

Download JSON