Cal.com, an open-source scheduling platform and developer-friendly alternative to Calendly, recently patched a set of critical vulnerabilities that exposed user accounts and sensitive booking data to attackers.
The flaws, discovered by Gecko’s AI security engineer in Cal.com Cloud, allowed complete account takeover for any user and unauthorized access to bookings across organizations, including private meetings and attendee metadata.
Gecko used its AI-augmented static analysis platform to autonomously map Cal.com’s codebase, uncovering complex multi-step vulnerability chains in just a few hours issues that had previously evaded both existing tooling and manual penetration testing.
According to Gecko, this is exactly the class of work they aim to democratize: turning AI-augmented security expertise into something every developer and security team can use to secure software at scale.
The investigation focused on broken access control, a category that continues to dominate real-world application security.
OWASP’s 2025 Top 10 reports that 100% of tested applications had some form of broken access control, underscoring how pervasive these issues are even in security-conscious, open-source projects with large contributor communities like Cal.com.
Account Takeover via Organization
The most severe issue was an authentication bypass in the organization signup flow that enabled attackers to hijack existing Cal.com accounts using only an email address and an organization invite link.
An attacker generates a shareable invite link for an organization they own, producing a URL like https://app.cal.com/signup?token=<64-char-hex-token>.
The vulnerability stemmed from three chained logic flaws in the signup process:
- The
usernameCheckForSignupfunction defaulted toavailable: trueand skipped critical validation for users who were already members of any organization. Instead of rejecting existing verified users, it treated organization members as if their email were free to register, allowing “re-signup” of active accounts. - A second validation step only checked for existing users within the attacker’s organization scope. The query filtered by
organizationId, asking effectively, “Does this email exist in my org?” instead of globally. As a result, verified users in other organizations were incorrectly treated as new. - Finally, the signup handler executed a
prisma.user.upsert()withwhere: { email }against a schema where emails are globally unique. When the two flawed validations passed, this upsert matched the victim’s existing record and updated it, overwriting their password hash, setting a new username, marking the email as verified, and reassigningorganizationIdto the attacker’s organization.
In practice, the attack was trivial: an attacker created or used an existing organization, generated an invite link such as https://app.cal.com/signup?token=, and submitted the signup form with the victim’s email and a new password.
The signup succeeded, the victim was silently locked out, and the attacker gained full access to the account, including calendar integrations, OAuth tokens, bookings, and API keys. No notification was sent to the victim.
Cal.com fixed this in version 6.0.8 by adding strict user existence validation before processing signups via invite tokens.
Bookings and Calendar Endpoints
A second class of vulnerabilities exposed all booking records and user data via misconfigured API routes and IDOR-style flaws.
Gecko’s indexing process identified that Cal.com’s API v1 used underscore-prefixed files (_get.ts, _post.ts, _patch.ts, _delete.ts) as internal route handlers.
The main index.ts entry point correctly applied authorization middleware before delegating to these handlers. However, due to how Next.js handled routing, the underscore files were also exposed as direct routes.
By directly calling these internal routes, any authenticated user with a valid v1 API key could bypass the authorization middleware entirely. This allowed reading and deleting bookings platform-wide, exposing:
- Attendee names, emails, and personal details.
- Meeting metadata and calendar information.
- Complete booking histories across users and organizations.
The same pattern affected destination calendar endpoints, enabling deletion of any user’s destination calendar by ID, silently breaking routing rules and potentially disrupting business workflows.
Cal.com mitigated this by updating its Next.js middleware to explicitly block direct access to internal route handlers such as /_get, /_post, /_patch, /_delete, and /_auth-middleware, returning HTTP 403 for any direct requests to these paths.
These findings underline how small, localized bugs in authentication and authorization logic can chain into full compromise of accounts and sensitive data.
For Cal.com, the impact reached from complete account takeover including admins and paid users to exposure of highly sensitive PII embedded in bookings.
The incident reinforces the need for defense in depth: strict global identity checks, consistent authorization enforcement on every path, and careful handling of framework routing behavior.
It also highlights the role of AI-augmented security tooling. Gecko’s AI SAST engine, which builds a semantic index of the codebase and reasons about data flows and business logic, was key in surfacing these complex chains quickly.
Gecko is currently making its platform available in a free preview, inviting developers, vulnerability researchers, and security engineers to experiment with AI-assisted code security and bring this level of analysis into their own pipelines.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.