CRITICAL🇵🇱 Wersja polska

CVE-2025-66489

CVSS 9.9v4.0pub. 2025-12-03upd. 2026-02-13

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

🤖 AI Analysis
How it works

The vulnerability (CWE-303) results from incorrect conditional logic in the credentials-based authentication provider. When an attacker supplies a TOTP code (one-time two-factor authentication code), the password verification mechanism is improperly bypassed. This means that knowledge of only the TOTP code — without knowledge of the password — may be sufficient to hijack a user session.

Impact

An attacker can gain unauthorized access to Cal.com user accounts without knowing their passwords. In the case of administrator accounts, this can lead to complete takeover of the application instance and customer data.

Mitigation & patch

Cal.com should be updated to version 5.9.8 or later, in which the vulnerability has been fixed. Administrators of self-hosted installations should apply the update immediately.

Who is affected

Cal.com versions earlier than 5.9.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Cal Cal.com

    APP
    Cal
    < 5.9.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-23478CRITICAL10.0PL ✓ten sam produkt

Cal.com: przejęcie konta przez manipulację JWT callback w NextAuth

CVE-2023-1647HIGH8.8ten sam produkt

Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.

CVE-2023-37919MEDIUM6.5ten sam produkt

Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account ...