Critical authentication flaw reported in Cal.com

Cal.com, an open-source scheduling platform, is reporting a critical authentication bypass vulnerability that could allow attackers to gain unauthorized access to user accounts. 

The flaw is tracked as CVE-2025-66489 (CVSS score 10.0), and allows attackers to circumvent password verification when a TOTP (Time-based One-Time Password) code is provided. It could lead to complete compromise of user accounts. The flaw is in the authorize() function within the credentials provider, in the file packages/features/auth/lib/next-auth-options.ts. The problematic conditional logic at lines 179-187 skips password verification when a TOTP code field contains any value, regardless of whether the code is valid or the password is correct.

In the first attack scenario, for users without two-factor authentication enabled, which is the majority of users an attacker can bypass both password and TOTP verification by simply submitting any non-empty value in the totpCode field along with the victim's email address. 

In the second attack scenario, for users with 2FA enabled, the presence of a TOTP code causes the system to bypass password verification, effectively reducing multi-factor authentication to single-factor authentication. The fortunate thing is that the TOTP code itself is validated in this case, but the removal of the password factor weakens the security posture and leaves accounts vulnerable if an attacker obtains or guesses the TOTP code.

The vulnerability affects all Cal.com versions up to and including 5.9.7, with version 5.9.8 containing the necessary security patch. 

Cal.com has released version 5.9.8 that patches this vulnerability. Users can verify their current Cal.com version and should immediately upgrade to version 5.9.8 or later to mitigate this critical risk. 

Organizations unable to upgrade immediately should consider at least enforcing 2FA, since then the attackers will need to get a real OTP code which is not trivial.