Authorization bypass through user-controlled key in Easy!Appointments - CVE-2026-52839
Published: June 15, 2026
Vulnerability identifier: #VU134526
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-52839
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: A.Tselegidis
Affected software:
Easy!Appointments
Easy!Appointments
Detailed vulnerability description
The vulnerability allows a remote user to modify appointments in another provider's schedule.
The vulnerability exists due to improper access control in the appointments/store and appointments/update endpoints when handling appointment modification requests with a user-controlled id_users_provider value. A remote privileged user can submit a crafted appointment request to modify appointments in another provider's schedule.
In the store path, the unauthorized appointment row is committed before the controller crashes, so the change persists even if the request returns an internal server error.
How to mitigate CVE-2026-52839
Install security update from vendor's website.