API Privilege Escalation in alextselegidis/easyappointments
Description
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
API privilege escalation in Easy!Appointments prior to 1.5.0 allows unauthenticated attackers to gain admin access and full system takeover.
Vulnerability
The vulnerability is an API privilege escalation in Easy!Appointments, an open-source appointment scheduler. In versions prior to 1.5.0, the API authentication logic in Api.php did not verify that the authenticated user had the admin role slug. The check_login function only validated credentials but did not enforce role checks, allowing any valid user (including non-admin) to access admin-level API endpoints. The fix in commit 63dbb51 adds a check for role_slug to ensure only admin users can authenticate via the API [1][3].
Exploitation
An attacker can exploit this by obtaining valid credentials for any user account (e.g., through brute-force, leaked credentials, or social engineering). With those credentials, the attacker can make API requests to admin endpoints, bypassing the intended role-based access control. No special network position is required beyond normal HTTP access to the application. The attacker simply sends HTTP Basic Auth with the user's credentials to the API, and prior to the fix, the system would authenticate them without checking if they are an admin [3][4].
Impact
Successful exploitation allows an attacker to perform any administrative action via the API, including creating, modifying, or deleting appointments, services, providers, and user accounts. This leads to full system takeover, as the attacker gains complete control over the Easy!Appointments instance [1][4]. The impact is high confidentiality, integrity, and availability compromise.
Mitigation
The vulnerability is fixed in version 1.5.0 of Easy!Appointments. Users should upgrade to 1.5.0 or later immediately. The fix is implemented in commit 63dbb51, which adds role slug verification in the API authentication method [3]. No workarounds are documented; upgrading is the recommended mitigation. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alextselegidis/easyappointmentsPackagist | <= 1.4.3 | — |
Affected products
2- alextselegidis/alextselegidis/easyappointmentsv5Range: unspecified
Patches
163dbb51decfcCheck the role slug in Api.php
1 file changed · +3 −1
application/libraries/Api.php+3 −1 modified@@ -77,7 +77,9 @@ public function auth() $password = $_SERVER['PHP_AUTH_PW']; - if ( ! $this->CI->accounts->check_login($username, $password)) + $userdata = $this->CI->accounts->check_login($username, $password); + + if (empty($userdata['role_slug']) || $userdata['role_slug'] !== DB_SLUG_ADMIN) { throw new RuntimeException('The provided credentials do not match any admin user!', 401, 'Unauthorized'); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7f62-4887-cfv5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1397ghsaADVISORY
- github.com/alextselegidis/easyappointments/commit/63dbb51decfcc1631c398ecd6d30e3a337845526ghsax_refsource_MISCWEB
- huntr.dev/bounties/5f69e094-ab8c-47a3-b01d-8c12a3b14c61ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.