PT-2026-58067 · Unknown · Easyappointments

CVE-2026-52839

·

Published

2026-07-14

·

Updated

2026-07-14

CVSS v3.1

3.3

Low

VectorAV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Easy!Appointments versions prior to 1.6.0
Description An issue exists where the application fails to verify if the id users provider submitted to specific endpoints belongs to the current session. While provider isolation is maintained in search responses, the mutation endpoints 'appointments/store' and 'appointments/update' only check for generic privileges. This allows an authenticated provider to inject new appointments into another provider's schedule or reassign existing appointments to a different provider's calendar. Additionally, the 'appointments/store' endpoint contains a write-before-crash bug where unauthorized data is committed to the database before a type error causes the controller to crash, resulting in the data being persisted despite the user receiving an error response.
Recommendations Update to version 1.6.0. Restrict the use of the id users provider variable in the 'appointments/store' and 'appointments/update' endpoints until the update is applied.

Exploit

Fix

Missing Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52839
GHSA-W8XC-8G92-V77H

Affected Products

Easyappointments