A newly disclosed critical vulnerability in Cal.com, an open-source scheduling and booking platform, could allow attackers to bypass authentication and gain full access to any user account.
The flaw, identified by GitHub researcher pedroccastro and tracked as GHSA-7hg4-x4pr-3hrg, affects Cal.com versions 3.1.6 through 6.0.6.
The issue has been patched in version 6.0.7, with hosted Cal.com instances reportedly secured immediately after discovery.
Authentication Bypass via Unvalidated Email Field
The vulnerability stems from a logic flaw in a custom NextAuth JWT callback used by Cal.com for session handling.
Specifically, when the callback is triggered with the "update" event, it improperly trusts client-controlled input and writes it directly into the JSON Web Token (JWT) without any server-side validation.
An attacker can exploit this flaw by invoking the API call session.update({ email: "[email protected]" }).
Because the system does not verify whether the updater is the true owner of the specified email, the application overwrites the existing JWT payload — resulting in a forged token like:
{
sub: attackerId,
email: "[email protected]"
}Once this manipulated token is used in subsequent requests, the application’s authentication logic identifies the user based solely on the now-altered token.email field.
Consequently, the attacker gains full authenticated access as the victim user, without requiring their password, session token, or two-factor credentials.
Full Account Compromise With Minimal Effort
This vulnerability effectively allows account takeover attacks with a single API request.
Since Cal.com’s backend reconstructs a user session using the email field, attackers could impersonate any user whose email address is known, including administrators or organizational owners.
The potential impact is broad, enabling unauthorized access to:
- Booking and calendar data
- Personal and business event types
- Connected integrations (e.g., Google Calendar, Zoom)
- Organization memberships and permissions
- Billing and administrative modules
Security mechanisms such as two-factor authentication (2FA) or federated identity providers (IdPs) offer no protection in this scenario because the trust bypass occurs after JWT validation.
As of publication, Cal.com’s official statement confirms that no exploitation has been detected in the wild and that hosted deployments were patched immediately.
Users running self-hosted instances are strongly advised to upgrade to version 6.0.7 or later to eliminate the risk.
The flaw highlights the importance of strict input validation and authentication controls in JWT-based session systems.
Allowing untrusted clients to modify sensitive identity attributes can result in catastrophic privilege escalations, as seen in this case.
Security experts recommend immediate patching and rotating any potentially exposed API tokens to ensure isolation from forged sessions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.