Critical Authentication Bypass Flaw in Cal.com Exposes User Accounts to Takeover A severe vulnerability in Cal.com, an open-source scheduling and booking platform, was recently disclosed, allowing attackers to bypass authentication and hijack any user account including administrators without requiring passwords, session tokens, or multi-factor authentication (MFA). Tracked as GHSA-7hg4-x4pr-3hrg, the flaw affects versions 3.1.6 through 6.0.6 and stems from a logic error in the platform’s custom NextAuth JWT callback. The vulnerability occurs when an attacker manipulates an API request to overwrite the email field in a JSON Web Token (JWT) without server-side validation. Since Cal.com’s backend reconstructs user sessions based on this unvalidated input, the forged token grants full authenticated access to the targeted account. Security mechanisms like 2FA or federated identity providers (IdPs) provide no protection, as the exploit bypasses trust checks entirely. Impact & Exploitation - Attackers can impersonate any user by knowing their email address. - Compromised accounts gain access to connected integrations (Google Calendar, Zoom), billing modules, and administrative permissions. - A single API request is sufficient to execute the attack, requiring minimal effort. Remediation & Response Cal.com released a patch in version 6.0.7, securing hosted instances immediately. Self-hosted deployments must upgrade to the latest version to mitigate risk. As of disclosure, no active exploitation has been detected in the wild, though security experts recommend rotating exposed API tokens as a precaution. The flaw underscores the critical need for strict input validation in JWT-based authentication systems, particularly when handling client-controlled data.