Main Vulnerability Database Vulnerabilities #VU134524

Authorization bypass through user-controlled key in Easy!Appointments - CVE-2026-52841

Published: June 15, 2026

Vulnerability identifier: #VU134524

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-52841

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: A.Tselegidis

Affected software:
Easy!Appointments

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify appointment data.

The vulnerability exists due to improper access control in the Google OAuth provider binding flow when processing a user-supplied provider_id during OAuth setup and callback handling. A remote privileged user can bind a peer provider's Google sync to a Google account they control to disclose sensitive information and modify appointment data.

User interaction is required to complete the Google OAuth consent flow, and only instances with Google Calendar OAuth configured are vulnerable.

How to mitigate CVE-2026-52841

Install security update from vendor's website.

Sources

https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-8hm4-r66f-29wr

Authorization bypass through user-controlled key in Easy!Appointments - CVE-2026-52841

Detailed vulnerability description

How to mitigate CVE-2026-52841

Sources

Please verify you're human