Cal.com Security Flaws Expose Millions of User Bookings to Potential Breaches
Cal.com, a widely-used open-source scheduling platform, recently encountered significant security vulnerabilities that could have led to unauthorized access to user accounts and sensitive booking information. This platform, serving as an alternative to tools like Calendly, offers features such as calendar synchronization, team scheduling, and video conferencing.
On January 26, 2026, security researchers identified a series of interconnected security flaws within Cal.com’s infrastructure. These vulnerabilities, when exploited in tandem, allowed attackers to gain unauthorized access to user accounts and retrieve confidential meeting details, including attendee names, email addresses, and comprehensive booking histories.
Detailed Analysis of the Vulnerabilities
The primary issue stemmed from a combination of three distinct security weaknesses:
1. Authentication Bypass via Organization Invite Tokens: The most critical flaw involved the platform’s handling of organization invite tokens. A defective username validation function failed to properly verify whether an email address was already associated with an existing account. Consequently, when an individual attempted to sign up using an organization invite link, the system erroneously permitted registrations for users who already had accounts.
The exploitation process unfolded as follows:
– Step 1: The signup validation mechanism inadequately allowed users already affiliated with organizations to circumvent standard security checks.
– Step 2: The email validation process only searched within the attacker’s organization, overlooking existing users in other organizations.
– Step 3: The database operation utilized globally unique email addresses to match users, resulting in the overwriting of the victim’s password with the attacker’s chosen password.
To exploit this vulnerability, an attacker could generate a shareable invite link, navigate to the signup page, input the victim’s email address along with a chosen password, and subsequently gain full access to the victim’s account. Notably, the legitimate account owner would receive no notification of this unauthorized access.
In response, Cal.com addressed this issue in version 6.0.8 by implementing proper user existence checks during the signup process.
2. Exposure of Booking Data through Insecure Direct Object References (IDOR): Another significant vulnerability was identified in the platform’s API endpoints. Authenticated users could exploit Insecure Direct Object References to read and delete all bookings across the platform. This flaw exposed sensitive booking data to potential unauthorized access.
Cal.com mitigated this risk by restricting direct access to internal route handlers and promptly releasing fixes within days of the initial report.
Implications and Recommendations
The discovery of these vulnerabilities underscores the critical importance of robust security measures in platforms handling sensitive user data. Unauthorized access to personal and organizational booking information can lead to privacy breaches, identity theft, and potential financial losses.
Users of Cal.com are strongly advised to:
– Update to the Latest Version: Ensure that the platform is updated to version 6.0.8 or later to benefit from the security patches addressing these vulnerabilities.
– Monitor Account Activity: Regularly review account activity for any unauthorized actions and report suspicious behavior immediately.
– Enhance Security Practices: Implement strong, unique passwords and consider enabling two-factor authentication (2FA) to add an extra layer of security to accounts.
For organizations utilizing Cal.com, it is imperative to conduct comprehensive security audits and educate employees about potential security risks associated with digital scheduling tools.
Conclusion
The recent security issues faced by Cal.com highlight the ever-present challenges in maintaining digital security. While the platform has taken swift action to rectify these vulnerabilities, users must remain vigilant and proactive in safeguarding their personal and organizational information.
