Cal.com has disclosed a critical authentication bypass vulnerability that could allow attackers to gain unauthorized access to user accounts by exploiting a flaw in password verification logic.
The flaw, tracked as CVE-2025-66489 and assigned a critical CVSS v4 score of 9.3, affects all versions of Cal.com up to and including 5.9.7. Users are urged to update to the patched version 5.9.8 immediately.
| Property | Detail |
|---|---|
| CVE ID | CVE-2025-66489 |
| Vulnerability Type | Authentication Bypass via Incorrect Implementation of Authentication Algorithm |
| Weakness ID | CWE-303 |
| Severity | Critical |
Vulnerability Details and Attack Vectors
The vulnerability resides in the credentials provider’s authentication logic in the authorize() function, specifically in packages/features/auth/lib/next-auth-options.ts.
The critical flaw stems from a problematic conditional logic that skips password verification when a TOTP (Time-based One-Time Password) code is provided, regardless of whether the code is valid.
The vulnerability creates two distinct attack scenarios. In the first scenario, attackers can bypass both password and TOTP verification by submitting any non-empty value in the totpCode field alongside the victim’s email address.
This means the majority of Cal.com users who haven’t enabled 2FA are vulnerable to account takeover attacks with minimal effort from threat actors.
The second scenario impacts users with 2FA enabled, though less severely. When a TOTP code is provided, the authentication system bypasses password verification entirely and only validates the TOTP code.
This reduces the multi-factor authentication process to single-factor authentication, weakening the security posture for accounts that should be better protected.
The flawed logic occurs at lines 179-187 of the authentication file, where the code checks if a user has a password hash and whether a TOTP code was provided.
When a totpCode is present in the request, the conditional statement evaluates to false, causing the password verification step using the verifyPassword function to be skipped entirely.
The authentication flow then proceeds without properly validating user credentials, allowing unauthorized access.
This vulnerability poses severe risks to Cal.com users, potentially exposing sensitive information such as calendars, meeting links, and personal data.
Attackers could exploit this flaw for user enumeration, account impersonation, and unauthorized access to privileged accounts.
The issue was reported by security researcher Jaydns and classified under CWE-303 (Incorrect Implementation of Authentication Algorithm).
Cal.com has released version 5.9.8 to address this critical security flaw. Organizations and individual users running affected versions should immediately upgrade to the patched release to protect against potential exploitation.
The fix implements proper verification of both password and TOTP codes in the authentication flow, ensuring multi-factor authentication operates as designed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.