Critical Authentication Bypass Flaw in Cal.com Exposes User Accounts to Takeover
A severe vulnerability in Cal.com, an open-source scheduling and booking platform, was recently disclosed, allowing attackers to bypass authentication and hijack any user account including administrators without requiring passwords, session tokens, or multi-factor authentication (MFA). Tracked as GHSA-7hg4-x4pr-3hrg, the flaw affects versions 3.1.6 through 6.0.6 and stems from a logic error in the platform’s custom NextAuth JWT callback.
The vulnerability occurs when an attacker manipulates an API request to overwrite the email field in a JSON Web Token (JWT) without server-side validation. Since Cal.com’s backend reconstructs user sessions based on this unvalidated input, the forged token grants full authenticated access to the targeted account. Security mechanisms like 2FA or federated identity providers (IdPs) provide no protection, as the exploit bypasses trust checks entirely.
Impact & Exploitation
- Attackers can impersonate any user by knowing their email address.
- Compromised accounts gain access to connected integrations (Google Calendar, Zoom), billing modules, and administrative permissions.
- A single API request is sufficient to execute the attack, requiring minimal effort.
Remediation & Response
Cal.com released a patch in version 6.0.7, securing hosted instances immediately. Self-hosted deployments must upgrade to the latest version to mitigate risk. As of disclosure, no active exploitation has been detected in the wild, though security experts recommend rotating exposed API tokens as a precaution.
The flaw underscores the critical need for strict input validation in JWT-based authentication systems, particularly when handling client-controlled data.
Source: https://gbhackers.com/cal-com-authentication-bypass/
Cal.com, Inc. cybersecurity rating report: https://www.rankiteo.com/company/cal-com
"id": "CAL1768964190",
"linkid": "cal-com",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of self-hosted and hosted '
'Cal.com instances (versions '
'3.1.6 through 6.0.6)',
'industry': 'Scheduling/Booking',
'name': 'Cal.com',
'type': 'Software Platform'}],
'attack_vector': 'API Manipulation',
'data_breach': {'personally_identifiable_information': 'Email addresses, user '
'account details',
'sensitivity_of_data': 'High (account access, administrative '
'permissions)',
'type_of_data_compromised': 'User account credentials, '
'session tokens, connected '
'integration data'},
'description': 'A severe vulnerability in Cal.com, an open-source scheduling '
'and booking platform, was recently disclosed, allowing '
'attackers to bypass authentication and hijack any user '
'account (including administrators) without requiring '
'passwords, session tokens, or multi-factor authentication '
'(MFA). The flaw stems from a logic error in the platform’s '
'custom NextAuth JWT callback, where an attacker can '
'manipulate an API request to overwrite the email field in a '
'JSON Web Token (JWT) without server-side validation, granting '
'full authenticated access to the targeted account.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'authentication bypass vulnerability',
'data_compromised': 'User account access, connected integrations '
'(Google Calendar, Zoom), billing modules, '
'administrative permissions',
'identity_theft_risk': 'High (account impersonation)',
'operational_impact': 'Account takeover, unauthorized access to '
'integrations and administrative functions',
'systems_affected': 'Cal.com (versions 3.1.6 through 6.0.6)'},
'lessons_learned': 'Critical need for strict input validation in JWT-based '
'authentication systems, particularly when handling '
'client-controlled data.',
'post_incident_analysis': {'corrective_actions': 'Patch released to validate '
'JWT claims server-side; '
'upgrade recommended for all '
'affected versions',
'root_causes': 'Logic error in NextAuth JWT '
'callback allowing unvalidated '
'email field manipulation in JWTs'},
'recommendations': 'Upgrade to patched version (6.0.7 or later), rotate '
'exposed API tokens, implement stricter server-side '
'validation for JWT claims.',
'references': [{'source': 'GitHub Advisory'}],
'response': {'containment_measures': 'Patch released (version 6.0.7)',
'remediation_measures': 'Upgrade to version 6.0.7 or later; '
'rotate exposed API tokens'},
'title': 'Critical Authentication Bypass Flaw in Cal.com Exposes User '
'Accounts to Takeover',
'type': 'Authentication Bypass',
'vulnerability_exploited': 'Logic error in NextAuth JWT callback '
'(GHSA-7hg4-x4pr-3hrg)'}