The website allows people to book appointments without using their NHS number, by entering their name, date of birth and postcode.
But it gives different results depending on whether the individual has already had two doses, one or none, allowing another user to quickly determine other people's vaccination status.
In the case of someone who has had both doses it currently says: "You do not need to book any coronavirus (COVID-19) appointments using this service." The Guardian earlier reported that it said "you have had both of your appointments".
For people who have had one dose, the site presents a screen referring to their booking for a second appointment.
And for those who have not had any jabs, it goes to a standard screening page.
Silkie Carlo, director of Big Brother Watch, said it is "a seriously shocking failure to protect patients' medical confidentiality at a time when it could not be more important".
She said the data was "exposed to absolutely anyone to pry into" because date of birth and postcode information can easily be found or bought.
"This is personal health information that could easily be exploited by companies, insurers, employers or scammers," Ms Carlo said.
"Robust protections must be put in place immediately and an urgent investigation should be opened to establish how such basic privacy protections could be missing from one of the most sensitive health databases in the country."
The National Data Guardian for Health and Social Care, which advises healthcare organisations about handling personal data, said it had been contacted by some people with concerns about the way the NHS booking site works.
"It is important that it is as simple and easy as possible for people to book their vaccinations and we understand that the website has been developed to support this aim," a spokeswoman for the Office of the National Data Guardian said.
But the spokeswoman said the organisations responsible for the site had been contacted to raise its concerns and discuss "the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public".
NHS Digital said it was revising the messages used by the booking system to improve privacy, but suggested that conclusions about someone's vaccine status from entering other people's data would not always be accurate.
The online booking system enabled millions of people to book their vaccinations quickly and easily, it said.
A spokesperson said: "This is making a significant impact on the management and containment of the pandemic and is saving lives.
"The system does not provide access to anyone's medical records and people should not be fraudulently using the service - it should only be used by people booking their own vaccines or for someone who has knowingly provided their details for this purpose."