a series of serious flaws in Cal.com, an open-source scheduling system used by businesses and developers all over the world This article explores signup process vulnerability. . Attackers were able to completely avoid authentication thanks to the flaws, which were caused by logic errors in the signup flow and improperly configured Next.js routing.

Due to successful exploitation, unauthorized actors were able to completely take over (ATO) existing users' passwords and obtain sensitive booking information, including private meeting metadata and attendee PII. Cal.com has since fixed these vulnerabilities in version 6.0.8. The Flaw in Logic: Using Invite Tokens to Take Over Accounts An authentication bypass in the organization signup process was the most serious vulnerability. With just the victim's email address and a legitimate organization invite token, an attacker could take control of any user account.

Inadequate Username Validation: The usernameCheckForSignup function was intended to determine whether a user already existed. But if the target user was already a member of an organization, a conditional check in the logic skipped validation. The system incorrectly indicated that the signup process could continue if userIsAMemberOfAnOrg returned true.

Database queries that are scoped: The scope of the secondary validation step was limited to the attacker's organization ID, but it did check for current users. Prisma.user.findFirst first determined whether the email was present in that particular organization when the code ran. The query returned null if the victim was a member of another organization, confirming the fraudulent signup attempt. The Global Upsert Overwrite: A prisma.

user.upsert operation was used in the last stage.

because the Cal.com database schema makes email addresses globally unique. The victim's current record was matched by the upsert command. It carried out the update block rather than generating a new user.

Impact: The update operation transferred the victim's account into the attacker's organization and replaced the victim's password hash with one supplied by the attacker. Exposure of APIs through Next.js Routing Insecure Direct Object References (IDOR) and incorrect route handling in the application's API v1 constituted a second critical vulnerability. Cal.com uses underscore-prefixed files (such as _get.ts, _post.ts, and _delete.ts) as internal route handlers. The API v1 has four exposed endpoints (Source: gecko.security).

To secure these handlers, authorization middleware was appropriately implemented at the main entry point, index.ts.

Nevertheless, the internal underscore files were made publicly accessible by the Next.js framework. Attackers could get around all authorization checks by sending requests straight to endpoints like _/get instead of using index.ts. Because of this exposure, users who were authenticated and had a working API key could: Read every reservation: Get attendee emails, meeting information, and descriptions from all over the platform.

Delete data: Silently violate routing rules by erasing reservations and destination calendars by ID. Type of Component Vulnerability Severity Technical Root Cause: Broken Access Control/ATO Signup Flow Due to incorrect scope validation, critical prisma.user.upsert logic overwrote the current credentials. By avoiding middleware in index.ts, API v1 Authentication Bypass High Internal Next.js handlers (_get.ts) are made public. High username Org Logic Logic ErrorCheckForSignup did not validate current members of the organization.

In response to the revelation, the Cal.com team moved quickly. According to an external disclosure from Gecko Security, the account takeover chain was fixed in v6.0.8 by enforcing stringent user existence validation prior to processing signups with invite tokens. By updating the Next.js middleware, the API exposure was reduced.

Internal route handlers (paths starting with /_) are now specifically blocked from external access by the patch, which returns a 403 Forbidden status for any direct requests to these files. To reduce these risks, users who self-host Cal.com are strongly encouraged to update to the most recent version right away. Patches have already been applied to instances hosted in the cloud.