Skip to main content

Cal.com cal.diy CVE-2026-9349

| EUVDEUVD-2026-31561 MEDIUM
Information Exposure (CWE-200)
2026-05-24 VulDB GHSA-23fj-h8hh-93x3
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 26, 2026 - 20:07 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 24, 2026 - 03:46 vuln.today

DescriptionCVE.org

A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Information disclosure in Cal.com cal.diy up to version 4.9.4 allows remote unauthenticated attackers to access sensitive booking data through manipulation of cancelledBy/rescheduledBy parameters in the bookings single view API endpoint. The vulnerability affects the Generic React API's getServerSideProps function, enabling unauthorized retrieval of booking-related information. Public exploit code exists demonstrating the attack technique, and the vendor has not responded to coordinated disclosure attempts, leaving users at elevated risk until patches are self-applied.

Technical ContextAI

The vulnerability resides in apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx within Cal.com's Generic React API implementation. The getServerSideProps function in Next.js executes on the server side during page rendering and typically handles data fetching before sending HTML to the client. This function improperly validates or sanitizes the cancelledBy and rescheduledBy query parameters, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). By manipulating these parameters in API requests, attackers can bypass intended access controls and retrieve booking information that should be restricted. Cal.com (also branded as cal.diy for self-hosted deployments) is an open-source scheduling infrastructure platform built on Next.js/React, commonly deployed as calendar and booking management systems for businesses.

RemediationAI

Upgrade to Cal.com cal.diy version 4.9.5 or later if such a patched release becomes available through the project's GitHub repository at https://github.com/calcom/cal.com. Since the vendor has not issued an official advisory or confirmed patch version, organizations must monitor the project repository for commits addressing CVE-2026-9349 or parameter validation in getServerSideProps functions. Immediate compensating controls include implementing Web Application Firewall (WAF) rules to block or sanitize cancelledBy and rescheduledBy parameters in requests to /bookings/* endpoints, though this may break legitimate booking cancellation/rescheduling workflows requiring testing in staging environments first. Apply strict input validation middleware to reject requests with unexpected parameter values or patterns. Consider temporarily restricting access to the bookings API endpoints to authenticated users only via reverse proxy authentication layers, accepting the trade-off of degraded user experience for unauthenticated booking views. Network segmentation to limit cal.diy instance exposure only to trusted networks reduces attack surface but conflicts with typical public-facing calendar use cases. Review application logs for suspicious patterns in cancelledBy/rescheduledBy parameter usage since the exploit became public. Reference the POC at https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994 to understand exact exploitation techniques for detection rule development.

Share

CVE-2026-9349 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy