Bookings: Outside the lines until CVE-2026-54998
Microsoft Bookings had a serious authorization flaw: a low-privileged user (application) could act across tenant boundaries, turning a scheduling service into a privilege escalation path. CVE-2026-54998 was reported, fixed, and closed within 27 days.