CVE-2025-66489

CriticalPublic PoC

Published: 03 December 2025

Published

03 December 2025

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to…

problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires systems to correctly identify and authenticate organizational users using defined authenticators, directly preventing the TOTP-based password bypass in Cal.com's authentication flow.

IA-5 Authenticator Management partial match

prevent

Mandates proper management of authenticators including TOTP, addressing mishandling in the login credentials provider's conditional logic.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws, such as patching Cal.com to version 5.9.8 to remediate the authentication bypass vulnerability.

Security SummaryAI

CVE-2025-66489 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. In versions prior to 5.9.8, a flaw in the login credentials provider enables attackers to skip password verification when a TOTP code is supplied, stemming from faulty conditional logic in the authentication flow. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-303 (Incorrect Implementation of Authentication Algorithm).

Any unauthenticated attacker with network access can exploit this issue remotely with low complexity and no user interaction required. Exploitation allows bypassing password checks during login attempts that include a valid TOTP code, resulting in unauthorized access to affected user accounts and high-impact compromise of confidentiality, integrity, and availability.

The vulnerability is remediated in Cal.com version 5.9.8. Additional details on the fix and affected configurations are available in the GitHub security advisory at https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98.

Details

CWE(s): CWE-303

Affected Products

cal

cal.com

≤ 5.9.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Critical authentication bypass in public-facing scheduling web application (AV:N/PR:N) directly enables unauthenticated remote exploitation for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98
Third Party Advisory, Exploit · security-advisories@github.com