Hijacked by Design: How Cal.com’s Hidden Flaws Unlocked a Goldmine of User Data

It started with an innocuous invite link - a routine feature in scheduling tools. But behind the scenes at Cal.com, a popular open-source alternative to Calendly, a trio of subtle coding missteps opened the floodgates for account takeovers and massive data exposure. With just an email and a cleverly crafted URL, attackers could lock out users, commandeer their calendars, and rifle through confidential meetings undetected. The breach, uncovered by Gecko’s AI-powered security engine, reveals how even sophisticated, community-driven platforms can harbor devastating vulnerabilities right under their maintainers’ noses.

The Anatomy of an Account Takeover

Cal.com’s troubles began in the organization signup flow - a process designed to streamline collaboration but marred by three chained logic flaws. The system failed to properly check if an email was already registered across the entire platform. Instead, it only checked within a specific organization, allowing an attacker to use an invite link and the victim’s email to “re-sign up” as if they were a new user. The upshot? The attacker overwrote the victim’s password, changed their username, and reassigned the account to their own organization - all without alerting the real user, who was abruptly locked out.

But the breach didn’t end there. API endpoints meant to be internal - named with subtle underscores - were left exposed due to quirks in the Next.js framework. By calling these routes directly, any user with an API key could sidestep authorization checks, accessing or deleting bookings and even entire calendar integrations across the platform. Names, emails, meeting details, and histories were all up for grabs.

These twin vulnerabilities highlight a persistent truth in cybersecurity: small, overlooked bugs - especially in access control - can combine into catastrophic failures. According to OWASP’s 2025 Top 10, every tested application showed some form of broken access control, and Cal.com’s incident is a sobering case study.

AI: The Unlikely Detective

What sets this incident apart is the role of artificial intelligence. Gecko’s AI static analysis engine rapidly mapped Cal.com’s codebase, uncovering the multi-step exploit chain that had eluded both automated scanners and human pentesters. The speed and depth of this analysis suggest a future where AI-augmented tools could become essential for securing complex, evolving codebases - especially in open-source projects where oversight gaps can persist for months or years.

Aftermath and Lessons Learned

Cal.com responded quickly, patching the flaws in version 6.0.8 and tightening both user validation and API route protections. For users, it’s a reminder that even trusted open-source tools can harbor hidden risks. For developers, the saga underscores the importance of rigorous, global access checks and the dangers of assuming that framework conventions will always keep sensitive routes safe.

The Cal.com breach is a cautionary tale: in the digital era, a single overlooked detail can turn a helpful feature into a hacker’s backdoor. Vigilance - human and artificial - remains our best defense.

WIKICROOK

• Access Control: Access control sets rules and uses tools to decide who can view, use, or change sensitive computer systems and data, protecting them from unauthorized access.
• Invite Link: An invite link is a unique URL that allows users to join a group or platform, often containing a token for secure and controlled access.
• API Endpoint: An API endpoint is a specific web address where software systems exchange data, acting as a secure digital service window for requests and responses.
• IDOR (Insecure Direct Object Reference): IDOR is a vulnerability where attackers access unauthorized data or functions by manipulating object references, due to missing access checks.
• Static Analysis: Static analysis examines code without running it to detect errors or vulnerabilities early, helping improve software quality and security.