Millions of people use Cal.com, an open-source scheduling platform, to manage their calendars and schedule meetings, but it recently encountered a significant security issue This article explores security flaws cal. . With features like team scheduling, video conferencing, and calendar syncing, the platform offers an alternative to programs like Calendly.

Security researchers found on January 26, 2026, that hackers could access sensitive booking data belonging to entire organizations by breaking into any user's account. Learn more about cybersecurity Features of the security author Cyber-exploitation Planning guides for incident response Cloud-based digital forensics tools Software that prevents cyberattacks Solutions for data security Apps for secure messaging Three distinct but related security flaws were found in the Cal.com Cloud vulnerability, which combined to allow for a full account takeover.

These flaws were present in the platform's booking data endpoints and signup procedure. Together, they made it possible for hackers to take control of user accounts and obtain private meeting information, attendees' names, emails, and full booking histories from the millions of reservations kept on the platform. Using an AI-powered security analysis tool that scanned the Cal.com codebase, Gecko Security analysts discovered these serious security flaws.

The researchers discovered several weaknesses in the platform's defenses that could be sequentially exploited. Their research showed how minor flaws in essential parts could compound to totally undermine the platform's security barriers, impacting both paid users and admin accounts.

How the Authentication Bypass Operated The most dangerous vulnerability was an authentication bypass that let attackers use organization invite tokens to take over user accounts that already existed. A defective username validation function that neglected to appropriately verify whether an email address was already registered was the initial cause of the vulnerability. The system mistakenly authorized signups for users who already had platform accounts when someone attempted to sign up using an organization invite link.

Learn more Courses for cybersecurity training Malware for ethical hacking training Managers of passwords News alerts about exploited hacking News stories about cybersecurity Software that prevents cyberattacks Dublin's secure web hosting There were three stages to the attack. First, users who were already enrolled in organizations were able to get around security checks due to an error in the signup validation.

Second, victims in other organizations were overlooked because email validation only looked within the attacker's company. Lastly, the database operation replaced the victim's password with the attacker's selected password by matching users using globally unique email addresses. An attacker could take advantage of this by creating a shareable invite link, going to the signup page, entering the email address and password of any victim, and getting complete account access.

Cal.com fixed this issue in version 6.0.8 by adding appropriate user existence checks prior to signup, but no warning was sent to the actual account owner. Through Insecure Direct Object References on API endpoints, the second vulnerability exposed booking data, making it possible for any authorized user to view and remove all bookings across the platform.

Within days of the report, Cal.com released fixes and blocked direct access to these internal route handlers. You can also set CSN as a preferred source in Google, LinkedIn, and X to receive more instant updates.