{"id":11240,"date":"2026-01-28T15:24:54","date_gmt":"2026-01-28T15:24:54","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=11240"},"modified":"2026-01-28T15:24:54","modified_gmt":"2026-01-28T15:24:54","slug":"cal-com-damaged-entry-controls-result-in-account-takeover-and-knowledge-publicity","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=11240","title":{"rendered":"Cal.com Damaged Entry Controls Result in Account Takeover and Knowledge Publicity"},"content":{"rendered":"


\n<\/p>\n

\n

Cal.com, an open-source scheduling platform and developer-friendly various to Calendly, not too long ago patched a set of crucial vulnerabilities that uncovered consumer accounts and delicate reserving knowledge to attackers. <\/p>\n

The issues, found by Gecko\u2019s AI safety engineer in Cal.com Cloud, allowed full account takeover for any consumer and unauthorized entry to bookings throughout organizations, together with personal conferences and attendee metadata.<\/p>\n

Gecko used its AI-augmented static evaluation platform to autonomously map Cal.com\u2019s codebase, uncovering advanced multi-step vulnerability chains in only a few hours points that had beforehand evaded each present tooling and handbook penetration testing. <\/p>\n

In line with Gecko, that is precisely the category of labor they intention to democratize: turning AI-augmented safety experience into one thing each developer and safety crew can use to safe software program at scale.<\/p>\n

The investigation centered on damaged entry management, a class that continues to dominate real-world software safety. <\/p>\n

OWASP\u2019s 2025 Prime 10 stories<\/a> that 100% of examined purposes had some type of damaged entry management, underscoring how pervasive these points are even in security-conscious, open-source tasks with giant contributor communities like Cal.com.<\/p>\n

Account Takeover by way of Group<\/strong><\/h2>\n

Essentially the most extreme problem was an authentication bypass within the group signup circulation that enabled attackers to hijack present Cal.com accounts utilizing solely an electronic mail tackle and a company invite hyperlink.<\/p>\n

An attacker generates a shareable invite hyperlink for a company they personal, producing a URL like\u00a0https:\/\/app.cal.com\/signup?token=<64-char-hex-token><\/code>.\u00a0<\/p>\n

The vulnerability stemmed from three chained logic flaws within the signup course of:<\/p>\n

    \n
  1. The usernameCheckForSignup<\/code> operate defaulted to obtainable: true<\/code> and skipped crucial validation for customers who had been already members of any group. As a substitute of rejecting present verified customers, it handled group members as if their electronic mail had been free to register, permitting \u201cre-signup\u201d of lively accounts.<\/li>\n
  2. A second validation step solely checked for present customers inside the attacker\u2019s group scope. The question filtered by organizationId<\/code>, asking successfully, \u201cDoes this electronic mail exist in my org?\u201d as a substitute of worldwide. In consequence, verified customers in different organizations had been incorrectly handled as new.<\/li>\n
  3. Lastly, the signup handler executed a prisma.consumer.upsert()<\/code> with the place: { electronic mail }<\/code> towards a schema the place emails are globally distinctive. When the 2 flawed validations handed, this upsert matched the sufferer\u2019s present file and up to date it, overwriting their password hash, setting a brand new username, marking the e-mail as verified, and reassigning organizationId<\/code> to the attacker\u2019s group.<\/li>\n<\/ol>\n

    In observe, the assault was trivial: an attacker created or used an present group, generated an invitation hyperlink resembling https:\/\/app.cal.com\/signup?token=<\/code>, and submitted the signup type with the sufferer\u2019s electronic mail and a brand new password. <\/p>\n

    The signup succeeded, the sufferer was silently locked out, and the attacker gained full entry to the account, together with calendar integrations, OAuth tokens<\/a>, bookings, and API keys. No notification was despatched to the sufferer.<\/p>\n

    Cal.com fastened this in model 6.0.8 by including strict consumer existence validation earlier than processing signups by way of invite tokens.<\/p>\n

    Bookings and Calendar Endpoints<\/strong><\/h2>\n

    A second class of vulnerabilities uncovered all reserving information and consumer knowledge by way of misconfigured API routes<\/a> and IDOR-style flaws.<\/p>\n

    Gecko\u2019s indexing course of recognized that Cal.com\u2019s API v1 used underscore-prefixed information (_get.ts<\/code>, _post.ts<\/code>, _patch.ts<\/code>, _delete.ts<\/code>) as inner route handlers. <\/p>\n

    The primary index.ts<\/code> entry level accurately utilized authorization middleware earlier than delegating to those handlers. Nevertheless, resulting from how Subsequent.js dealt with routing, the underscore information had been additionally uncovered as direct routes.<\/p>\n

    By instantly calling these inner routes, any authenticated consumer with a legitimate v1 API key<\/a> may bypass the authorization middleware fully. This allowed studying and deleting bookings platform-wide, exposing:<\/p>\n