Skip to main content

Easy!Appointments CVE-2026-52839

| EUVDEUVD-2026-43720 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-14 GitHub_M
3.3
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.3 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.3 MEDIUM

Any normal provider account can exploit this with a simple parameter substitution (AC:L, PR:L); impact is integrity-only - no confidentiality or availability loss described.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 16:13 vuln.today
Analysis Generated
Jul 14, 2026 - 16:13 vuln.today

DescriptionCVE.org

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the appointments/search response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints appointments/store and appointments/update only check generic appointment privileges and never verify that the submitted id_users_provider belongs to the current session. A normal authenticated provider can inject new appointments into another provider's schedule via store, or reassign existing appointments into a foreign provider's calendar via update. The store path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue.

AnalysisAI

Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary id_users_provider value to the store and update API endpoints. The asymmetry is stark: the search endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain provider-role credentials
Delivery
Authenticate to Easy!Appointments API
Exploit
Enumerate peer provider numeric IDs via scheduling UI
Install
Craft POST body with foreign id_users_provider
C2
Submit to /appointments/store or /appointments/update
Execute
Unauthorized appointment committed to database despite error response
Impact
Victim provider's schedule silently manipulated

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated provider-role account within the target Easy!Appointments instance - unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The assigned CVSS 3.1 score of 3.3 (AV:N/AC:H/PR:H) materially underestimates exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a valid Easy!Appointments provider account enumerates the numeric IDs of peer providers (discoverable via scheduling UI or API), then posts a crafted JSON body to `/appointments/store` with a substituted `id_users_provider` referencing the target. The database commits the unauthorized appointment row before the controller crashes, so the victim provider's calendar is modified while the attacker receives only an HTTP error - making the attack look like a failed request in access logs. …
Remediation Upgrade to Easy!Appointments version 1.6.0, which patches the provider authorization bypass per the vendor security advisory at https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h; the fix is tracked in commit 4abb10545d83ac1a57d03f6502376ee67696ee7c. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-57602 CRITICAL POC
9.8 Feb 12

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php f

CVE-2023-1269 CRITICAL POC
9.8 Mar 08

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated critical severi

CVE-2022-0482 CRITICAL POC
9.1 Mar 09

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments p

CVE-2023-2105 HIGH POC
8.8 Apr 15

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), th

CVE-2022-1397 HIGH POC
8.8 May 10

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS

CVE-2024-57601 MEDIUM POC
6.1 Feb 12

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbit

CVE-2023-2104 MEDIUM POC
5.4 Apr 15

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium severity (CVSS

CVE-2023-2103 MEDIUM POC
5.4 Apr 15

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se

CVE-2023-2102 MEDIUM POC
4.8 Apr 15

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se

CVE-2023-3700 MEDIUM POC
4.3 Jul 17

Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Ra

CVE-2023-1367 LOW POC
3.8 Mar 13

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated low severity (CVSS 3.8), this

CVE-2026-55651 HIGH
7.1 Jul 14

Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endp

Share

CVE-2026-52839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy