editorially independent. We may make money when you click on links
to our partners.
Learn More
A vulnerability in Cal.com, a popular open-source scheduling platform used by millions, potentially puts user accounts and sensitive booking data at risk.
Gecko Security researchers revealed that attackers could take over any Cal.com account and access private meeting details across organizations.
The vulnerabilities “… resulted in complete account takeover of any user on Cal.com, including admin accounts and paid users, and exposed all sensitive booking data including PII,” said the researchers in their analysis.
Access Control Failures Led to Account Takeover
Cal.com is used as core scheduling infrastructure, embedded into critical business workflows for sales, recruiting, customer support, and executive operations.
Because it sits at the center of daily organizational activity, any security failure in the platform carries outsized risk, particularly when it affects identity, access, and sensitive scheduling data.
According to the researchers, attackers could exploit broken access controls in Cal.com Cloud to both hijack user accounts and read or delete bookings belonging to other users and organizations at scale.
The root cause was not a single vulnerability, but a chain of weaknesses involving flawed authentication logic and inconsistent authorization enforcement across the platform.
The most severe issue emerged in Cal.com’s organization invite–based signup flow.
Under certain conditions, the system failed to properly validate whether an email address was already registered when that user belonged to an organization.
Follow-on validation checks only searched for existing users within the attacker’s organization, rather than globally across the platform.
When these checks were incorrectly passed, the signup process executed a database operation that overwrote the victim’s existing password and reassigned their account to the attacker’s organization.
From an attacker’s perspective, exploitation was trivial.
By generating a shareable organization invite link and submitting a victim’s email address with a new password, an attacker could silently take full control of the account.
The legitimate user received no warning or notification, and their original credentials immediately stopped working.
Once compromised, attackers gained access to calendar integrations, OAuth tokens, API keys, and complete booking histories, effectively turning a scheduling flaw into a full identity and data breach risk.
Compounding the impact, researchers also identified insecure direct object reference (IDOR) vulnerabilities in Cal.com’s booking APIs.
Due to missing authorization checks on internal endpoints, any authenticated user could read or delete bookings across the entire platform.
This exposure included attendee names, email addresses, meeting metadata, and historical booking data belonging to other organizations.
While there is no public evidence of active exploitation, researchers successfully demonstrated working proof-of-concept attacks.
How Organizations Can Reduce Risk
While Cal.com has addressed the underlying vulnerabilities, organizations should not rely on vendor patches alone to reduce risk.
Scheduling platforms often hold sensitive identity, meeting, and relationship data, making them attractive targets for threat actors.
Security teams should take a layered approach that combines patch management, access controls, monitoring, and preparedness to limit both the likelihood and impact of account takeover or data exposure.
- Ensure Cal.com Cloud is updated to version 6.0.8 or later and ensure your organization has a solid patch management program in place.
- Review audit logs and configure alerts for suspicious activity, including password resets, organization changes, and unusual booking access or deletions.
- Rotate API keys, OAuth tokens, calendar integrations, and reset credentials for affected or high-privilege users.
- Enforce strong identity controls, including MFA, conditional access policies, and step-up authentication for sensitive actions.
- Restrict organization invites and access by applying approved email domain controls and least-privilege role assignments.
- Limit exposure by scoping API permissions, applying rate limiting, and monitoring for abnormal signup or invite token usage.
- Test and update incident response plans to ensure teams can quickly detect, contain, and recover from account takeover or data exposure scenarios.
These steps help organizations strengthen their overall security posture and reduce blast radius.
Security Risks in SaaS Infrastructure
The Cal.com incident highlights how access control issues continue to be a common challenge for modern SaaS platforms, particularly those that serve as shared infrastructure across organizations.
When authentication and authorization logic becomes complex, even routine workflows such as scheduling can introduce unintended security gaps if controls are not consistently enforced.
These findings illustrate how subtle logic errors can persist in mature, open-source projects despite ongoing security reviews.
The research also demonstrates the growing value of AI-assisted security analysis, which can help identify and validate complex, multi-step issues more efficiently as applications increase in scale and complexity.
As organizations address these access control gaps, zero-trust solutions are increasingly being adopted to strengthen identity verification and limit the impact of compromise.
