Cal.com Broken Access Controls Lead to Account Takeover and Data Exposure

Broken access control remains the most common flaw in web applications, and the Cal.com incident is a textbook example of its destructive potential. By exploiting a missing global email check in the organization‑signup flow, an attacker could reuse an invite token to overwrite a victim’s password hash, seize OAuth tokens, and commandeer calendar integrations. Simultaneously, misconfigured Next.js routes exposed internal handlers, turning any valid API key into a master key that could read or delete bookings across every organization. The breach exposed personal meeting details and threatened the continuity of business workflows that rely on the platform.

The root cause of the signup exploit was a cascade of three logic errors: the username‑check routine incorrectly reported availability, the organization‑scoped query failed to verify global uniqueness, and the Prisma upsert operation silently merged the attacker’s data with the victim’s record. This chain illustrates how a single oversight in validation can cascade into full credential takeover. On the API side, developers assumed that underscore‑prefixed files were private, overlooking Next.js’s ability to serve them directly. Enforcing middleware on every endpoint and renaming internal handlers are simple mitigations that could have prevented the exposure.

The discovery underscores the growing value of AI‑augmented static analysis. Gecko’s platform built a semantic index of Cal.com’s codebase, traced data flows, and identified the multi‑step vulnerability chain in a matter of hours—far faster than traditional manual pen‑testing. As more organizations adopt AI‑driven security tooling, we can expect earlier detection of complex logic flaws and reduced reliance on exhaustive manual reviews. Companies should integrate such solutions into CI/CD pipelines, enforce defense‑in‑depth principles, and continuously audit routing configurations to stay ahead of evolving attack techniques.