Cal.com Broken Access Control Allows Account Take Controls Exposes

A significant security vulnerability has recently affected Cal.com, the open-source scheduling platform millions rely on for managing their calendars and booking meetings.

The platform provides an alternative to tools like Calendly, offering features like calendar syncing, team scheduling, and video conferencing.

On January 26, 2026, security researchers discovered that attackers could break into any user’s account and access sensitive booking information belonging to entire organizations.

The vulnerability discovered in Cal.com Cloud involved a chain of three separate but connected security flaws that worked together to create a complete account takeover.

These weaknesses existed in the platform’s signup process and booking data endpoints. When combined, they allowed attackers to hijack user accounts and steal private meeting details, attendee names, emails, and complete booking histories from millions of bookings stored on the platform.

Gecko Security analysts identified these critical security issues through an AI-powered security analysis tool that scanned the Cal.com codebase.

The researchers found that the platform’s defenses had multiple gaps that could be exploited sequentially.

Their investigation revealed how subtle bugs in core components could chain together and completely dismantle the platform’s security boundaries, affecting admin accounts and paid users alike.

How the Authentication Bypass Worked

The most dangerous flaw was an authentication bypass that allowed attackers to take over existing user accounts through organization invite tokens.

The vulnerability started with a flawed username validation function that failed to check properly whether an email address was already registered.

When someone tried to sign up using an organization invite link, the system incorrectly approved signups for users who already had accounts with the platform.

The attack happened in three steps. First, the signup validation incorrectly allowed users already in organizations to bypass security checks. Second, email validation only searched within the attacker’s organization, missing victims in other organizations.

Finally, the database operation used globally unique email addresses to match users, which meant it overwrote the victim’s password with the attacker’s chosen password.

To exploit this, an attacker simply generated a shareable invite link, navigated to the signup page, entered any victim’s email address and their chosen password, and gained full account access.

No warning was sent to the actual account owner. Cal.com patched this issue in version 6.0.8 by adding proper user existence checks before signup.

The second vulnerability exposed booking data through Insecure Direct Object References on API endpoints, allowing any authenticated user to read and delete all bookings platform-wide. Cal.com blocked direct access to these internal route handlers and released fixes within days of the report.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.