CVE-2025-66489

Summary

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

Affected Software

VendorProductVersion RangeStatus
calcomcal.com< 5.9.8affected

Weaknesses

  • CWE-303: CWE-303: Incorrect Implementation of Authentication Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References