A newly disclosed critical vulnerability in Cal.com, an open-source scheduling and booking platform, could allow attackers to bypass authentication and take over user accounts without valid credentials.
The issue affects Cal.com versions 3.1.6 through 6.0.6 and has been patched in version 6.0.7. Hosted Cal.com environments were secured shortly after the flaw was reported.
The vulnerability was discovered by GitHub researcher pedroccastro and tracked as GHSA-7hg4-x4pr-3hrg.
It originates from a logic flaw in Cal.com’s custom NextAuth JWT callback, which is used to manage user sessions.
When a session update event is triggered, the application incorrectly trusts client-supplied input and writes it directly into the JSON Web Token (JWT) without server-side verification.
An attacker can abuse this behavior by sending a crafted API request that updates the session email field to that of another user. Because ownership of the email is never validated, the JWT is silently modified.
How the Attack Works
The attack works by abusing how Cal.com handles session updates in its authentication logic. An attacker only needs a valid, low-privilege account to trigger a session update request that includes a different user’s email address.
Because Cal.com’s custom NextAuth JWT callback trusts client-supplied data during an “update” event, it writes the attacker-controlled email directly into the JSON Web Token without verifying ownership.
This silently alters the JWT so that it now contains the victim’s email. On subsequent requests, Cal.com identifies the user based solely on the email value stored in the token, causing the backend to treat the attacker as the victim.
As a result, the attacker gains full authenticated access to the victim’s account without knowing the password, possessing a valid session, or passing two-factor authentication, leading to complete account takeover with minimal effort.
Potential Impact on Affected Accounts
An attacker who successfully exploits this flaw could gain access to:
- Booking schedules and calendar data
- Personal and organizational event types
- Connected services (Google Calendar, Zoom, etc.)
- Organization roles and permissions
- Billing and administrative features
Because the bypass occurs after authentication checks, traditional security controls like 2FA offer no protection in this scenario.
Patch Status and Recommendations
Cal.com has confirmed that:
- No active exploitation has been observed so far
- Hosted instances were patched immediately
Recommended Actions
- Upgrade self-hosted Cal.com deployments to version 6.0.7 or later
- Review API usage and access logs for unusual session updates
- Rotate API keys or tokens if exposure is suspected
- Apply strict validation for identity fields in custom authentication logic
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment