Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitive booking data through manipulation of cancelledBy/rescheduledBy parameters in the bookings single view API endpoint. The vulnerability affects the Generic React API's getServerSideProps function, enabling unauthorized retrieval of booking-related information. Public exploit code exists demonstrating the attack technique, and the vendor has not responded to coordinated disclosure attempts, leaving users at elevated risk until patches are self-applied.
Technical ContextAI
The vulnerability resides in apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx within Cal.com's Generic React API implementation. The getServerSideProps function in Next.js executes on the server side during page rendering and typically handles data fetching before sending HTML to the client. This function improperly validates or sanitizes the cancelledBy and rescheduledBy query parameters, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). By manipulating these parameters in API requests, attackers can bypass intended access controls and retrieve booking information that should be restricted. Cal.com (also branded as cal.diy for self-hosted deployments) is an open-source scheduling infrastructure platform built on Next.js/React, commonly deployed as calendar and booking management systems for businesses.
RemediationAI
Upgrade to Cal.com cal.diy version 4.9.5 or later if such a patched release becomes available through the project's GitHub repository at https://github.com/calcom/cal.com. Since the vendor has not issued an official advisory or confirmed patch version, organizations must monitor the project repository for commits addressing CVE-2026-9349 or parameter validation in getServerSideProps functions. Immediate compensating controls include implementing Web Application Firewall (WAF) rules to block or sanitize cancelledBy and rescheduledBy parameters in requests to /bookings/* endpoints, though this may break legitimate booking cancellation/rescheduling workflows requiring testing in staging environments first. Apply strict input validation middleware to reject requests with unexpected parameter values or patterns. Consider temporarily restricting access to the bookings API endpoints to authenticated users only via reverse proxy authentication layers, accepting the trade-off of degraded user experience for unauthenticated booking views. Network segmentation to limit cal.diy instance exposure only to trusted networks reduces attack surface but conflicts with typical public-facing calendar use cases. Review application logs for suspicious patterns in cancelledBy/rescheduledBy parameter usage since the exploit became public. Reference the POC at https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994 to understand exact exploitation techniques for detection rule development.
Cross-site request forgery (CSRF) in Cal.com cal.diy versions up to 4.9.4 enables remote attackers to perform unauthoriz
Server-side request forgery in Cal.com cal.diy versions up to 4.9.4 enables authenticated attackers to make the server p
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31561
GHSA-23fj-h8hh-93x3