Cal.com, a popular open-source scheduling platform, faces a critical authentication flaw that allows attackers to bypass password checks by using fake TOTP codes.
Security researcher Emrysal disclosed the issue last week via GitHub Advisory GHSA-9r3w-4j8q-pw98.
Rated critical, it affects versions up to 5.9.7. Users should update to 5.9.8 immediately to block unauthorized access to calendars and personal data.
The bug lies in the authorize() function of the login flow in packages/features/auth/lib/next-auth-options.ts (lines 179-187).
Flawed conditional logic skips password verification if a TOTP code is supplied, even a fake one. This creates two attack paths.
Vulnerability Mechanics and Exploit Scenarios
For users without 2FA enabled the majority a non-empty totpCode field tricks the system into bypassing password checks entirely.
Attackers need only the victim’s email; no valid password or TOTP is required. The code proceeds to authenticate without hurdles.
Here’s the vulnerable snippet:
if (!user.password?.hash && user.identityProvider == IdentityProvider.CAL) {
throw new Error(ErrorCode.IncorrectEmailPassword);
}
if (user.password?.hash && !credentials.totpCode) {
const isCorrectPassword = await verifyPassword(credentials.password, user.password.hash);
if (!isCorrectPassword) {
throw new Error(ErrorCode.IncorrectEmailPassword);
}
}
if (user.twoFactorEnabled && credentials.backupCode) {
...
} else if (user.twoFactorEnabled) {
if (!credentials.totpCode) {
throw new Error(ErrorCode.SecondFactorRequired);
}
const isValidToken = totpAuthenticatorCheck(credentials.totpCode, secret);
if (!isValidToken) {
throw new Error(ErrorCode.IncorrectTwoFactorCode);
}
}For 2FA users, the same flaw drops password validation. A valid TOTP alone grants entry, gutting multi-factor security. Attackers could easily guess or phish TOTP codes.
| Aspect | Details |
|---|---|
| Affected Versions | ≤ 5.9.7 |
| Patched Versions | 5.9.8 |
| Package | No specific package listed |
| CVSS Score | Critical (no exact score; high impact) |
Potential Impact and Mitigation Steps
Attackers with an email can impersonate users, steal meeting links, calendars, and sensitive info.
It enables account takeover, user enumeration, and supply chain risks for Cal.com’s enterprise users. Non-2FA accounts fall fastest; 2FA ones weaken to single-factor.
Fixes demand strict dual checks: always verify passwords before TOTP, regardless of input. Cal.com patched this in 5.9.8 by reordering logic.
Admins must upgrade, enforce 2FA, and audit logs for fake TOTP logins. Monitor for anomalies, such as rapid failed TOTP attempts tied to email addresses.
This underscores the pitfalls of TOTP in auth flows. Developers, audit conditionals to prevent bypasses. Check the complete advisory for patches.
