CVE-2026-23622 is a Cross-Site Request Forgery (CSRF) vulnerability identified in Easy!Appointments, a self-hosted appointment scheduling application. The root cause lies in the application's security mechanism within application/core/EA_Security.php, specifically the csrf_verify() function, which enforces CSRF protection only on POST requests. However, several endpoints in Easy!Appointments perform state-changing operations (such as creating or modifying admin accounts) while accepting parameters via GET requests or the $_REQUEST superglobal, which includes GET parameters. Because CSRF tokens are not verified for these GET requests, an attacker can craft malicious URLs that, when visited by an authenticated user, cause unauthorized actions to be performed without their consent. This can lead to severe consequences including the creation of new admin accounts, modification of existing admin email addresses or passwords, and ultimately full administrative account takeover. The vulnerability requires no prior authentication or privileges and can be exploited remotely through social engineering techniques that induce victims to visit maliciously crafted URLs. The CVSS 4.0 score of 7.4 reflects the vulnerability's network attack vector, low attack complexity, no required privileges or authentication, user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential impact is significant given the administrative control that can be gained. The vulnerability affects Easy!Appointments versions 1.5.2 and earlier, and no official patches are linked in the provided data, indicating that users must apply custom mitigations or upgrade once a fix is released.

For European organizations, especially those in healthcare, professional services, and other appointment-driven sectors, this vulnerability poses a significant risk. Easy!Appointments is often used for scheduling client or patient appointments, and compromise of admin accounts can lead to unauthorized access to sensitive personal data, manipulation of appointment schedules, and disruption of business operations. Attackers gaining admin privileges can alter system configurations, create backdoors, or exfiltrate confidential information, impacting data confidentiality and integrity. The availability of the scheduling service can also be compromised by malicious modifications or deletions. Given the reliance on self-hosted deployments, organizations with less mature patch management or security monitoring may be particularly vulnerable. The vulnerability's exploitation does not require authentication, increasing the attack surface. Additionally, the use of GET requests for state-changing operations is a design flaw that may be exploited in phishing campaigns targeting European users. The impact extends beyond individual organizations to potentially affect service continuity and trust in digital appointment systems across Europe.

Immediate mitigation steps include reviewing all Easy!Appointments endpoints that accept GET or $_REQUEST parameters to ensure no state-changing operations are performed via GET requests. Administrators should implement CSRF protections on all endpoints, including those handling GET requests, by enforcing token verification regardless of HTTP method. If upgrading to a fixed version is not yet possible, web application firewalls (WAFs) can be configured to block suspicious GET requests that attempt to perform administrative actions. Organizations should also educate users to avoid clicking on untrusted links and monitor logs for unusual GET requests that trigger state changes. Network segmentation and limiting access to the Easy!Appointments interface to trusted IP ranges can reduce exposure. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, organizations should track vendor updates closely and apply patches promptly once available.