Critical Cal.com Flaw (CVE-2025-66489, CVSS 9.9) Allows Authentication Bypass by Submitting Fake TOTP Codes

A severe security vulnerability has been uncovered in Cal.com, the popular open-source scheduling platform positioned as the successor to Calendly. The flaw, which carries a near-maximum severity rating, could allow attackers to completely bypass authentication mechanisms, including password verification and Two-Factor Authentication (2FA), to hijack user accounts.

The vulnerability, tracked as CVE-2025-66489, has been assigned a critical CVSS score of 9.9. It resides deep within the platform’s login credentials provider.

The core issue is a logic error in the authorize() function, specifically within the file packages/features/auth/lib/next-auth-options.ts. According to the advisory, “The critical flaw is in the authentication logic… where password verification is skipped if a TOTP code is provided, even if other conditions are met”.

Essentially, the system becomes so focused on checking the Time-based One-Time Password (TOTP) code that it forgets to check if the password itself is correct.

This coding oversight creates two distinct attack vectors:

• Bypass for Non-2FA Users: For the majority of users who have not enabled 2FA, the risk is extreme. If an attacker submits a login request with any non-empty value in the totpCode field, the system skips the password check entirely. “The function then improperly proceeds to authenticate the user without further checks,” the report warns. This means knowing a victim’s email address is effectively the only barrier to entry.
• Reduced Security for 2FA Users: Even users who have enabled 2FA are not safe. While the system validates the TOTP code, it still ignores the password. “The TOTP code is validated, but without the password factor, leaving the account vulnerable to compromise if the TOTP code is known”. This effectively downgrades 2FA protection to single-factor authentication.

The consequences of exploitation are severe. Attackers could gain “unauthorized access to sensitive user data, including calendars, meeting links, and personal information”. Furthermore, the flaw could be leveraged for “user enumeration and impersonation,” allowing attackers to pivot to any account on the system.

The Cal.com team has released a patch to close this loophole.

• Affected Versions: 5.9.7 and prior.
• Fixed Version: 5.9.8.

Administrators and self-hosted users are urged to upgrade to version 5.9.8 immediately to restore the integrity of their authentication flow.

Related Posts:

• iOS Update: Proton Authenticator Bug Leaked TOTP Secrets in Plaintext Logs
• 184 Million Leaked Credentials Found in Open Database
• PyPI’s New Rule: 2FA Verification for All Project Maintainers