CVE-2025-66489

Name of the Vulnerable Software and Affected Versions Cal.com versions prior to 5.9.8

Description Cal.com, an open-source scheduling software, has a flaw in its login credentials provider. This issue allows an attacker to bypass password verification if a TOTP (Time-Based One-Time Password) code is provided during login. This bypass occurs due to problematic conditional logic within the authentication flow. Approximately 983 exposed instances and 15.2K services are potentially affected. The issue allows full account takeover by submitting fake TOTP codes, potentially degrading login security to single-factor TOTP validation for users with two-factor authentication enabled. The vulnerability is triggered when the password check is skipped if the totpCode parameter contains any non-empty value. The vulnerable API endpoint is '/api/auth/callback/credentials', and the vulnerable parameters are password and totpCode.

Recommendations Upgrade to version 5.9.8 to restore proper password and TOTP validation.