VYPR
← All advisories
Unrated severityNVD Advisory· Published May 23, 2026

calcom cal.diy cross-site request forgery

CVE-2026-9303

Description

A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cal.com up to 4.9.4 contains two CSRF vulnerabilities: an OAuth account linking bypass via hardcoded allowlist and a calendar availability API lacking CSRF tokens, enabling account takeover and availability manipulation.

Vulnerability

Cal.com (cal.diy) versions up to 4.9.4 are affected by two distinct Cross-Site Request Forgery (CSRF) vulnerabilities. First, the OAuth callback handler in packages/app-store/_utils/oauth/decodeOAuthState.ts introduces a hardcoded allowlist (NONCE_EXEMPT_APPS) for applications such as stripe, basecamp3, dub, webex, and tandem, which bypasses HMAC-signed nonce validation [1]. Second, the calendar availability API endpoint /api/availability/calendar lacks explicit CSRF tokens and accepts text/plain JSON payloads, while production cookie settings use SameSite=none [2].

Exploitation

For the OAuth CSRF, an unauthenticated attacker can obtain their own OAuth authorization code for an exempt application and embed it in a malicious callback URL. When a logged-in victim visits this URL, the system links the attacker's external integration to the victim's account without proper state validation [1]. For the calendar API CSRF, an attacker can craft a cross-origin request using fetch(url, {mode: 'no-cors'}) with a text/plain JSON payload. Because the browser automatically includes the victim's session cookie (due to SameSite=none), the request is processed, modifying the victim's calendar availability settings [2].

Impact

Successful exploitation of the OAuth CSRF allows an attacker to bind their own external application (e.g., Basecamp3, Webex) to the victim's Cal.com account, effectively taking over the victim's scheduling integrations and potentially accessing calendar data [1]. Exploitation of the calendar API CSRF enables an attacker to silently alter the victim's availability configurations, leading to a denial-of-service condition where the victim's calendar becomes unusable or misconfigured [2].

Mitigation

As of the publication date, the vendor has not responded to disclosure and no official patch has been released for either vulnerability. Users of Cal.com up to version 4.9.4 are advised to monitor for updates or consider disabling OAuth integrations and restricting cookie SameSite attributes if possible, though no complete workaround is documented [1][2].

References
  1. Account Takeover via OAuth Account Linking CSRF (Allowlist Bypass)
  2. Cross-Site Request Forgery (CSRF) in Calendar Availability API (`/api/availability/calendar`)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing CSRF protections: an allowlist exempts high-profile OAuth apps from HMAC nonce validation, and the calendar availability API lacks any anti-CSRF token or header check."

Attack vector

For the OAuth CSRF (CWE-352), an unauthenticated attacker crafts a GET URL containing their own stolen OAuth authorization code for an exempt app (e.g., basecamp3). When a logged-in victim visits that URL, the callback handler exchanges the code for tokens and links the attacker's integration to the victim's account without validating any CSRF nonce [ref_id=1]. For the calendar API CSRF (CWE-352), an attacker hosting a malicious page uses `fetch(url, {mode: 'no-cors'})` with a `text/plain` payload. Because Cal.com sets `SameSite=none` under HTTPS and the endpoint accepts `text/plain` JSON via `req.json()`, the browser sends the victim's session cookie and mutates their calendar availability settings [ref_id=2].

Affected code

Two code paths are at fault. In `packages/app-store/_utils/oauth/decodeOAuthState.ts`, an explicit allowlist (`NONCE_EXEMPT_APPS`) exempts applications such as basecamp3 and webex from HMAC-signed nonce validation [ref_id=1]. In `packages/app-store/basecamp3/api/callback.ts`, the handler performs the OAuth token exchange and commits the external identity to the database via `prisma.user.update` *before* calling `decodeOAuthState`, rendering the validation moot [ref_id=1]. Separately, `apps/web/app/api/availability/calendar/route.ts` lacks any CSRF token check and blindly parses `req.json()` [ref_id=2].

What the fix does

No patch has been published; the vendor was contacted but did not respond [ref_id=1][ref_id=2]. The advisory recommends removing the `NONCE_EXEMPT_APPS` allowlist in `decodeOAuthState.ts` so that all OAuth callbacks enforce HMAC-signed nonce validation, and moving the `decodeOAuthState` call to occur *before* the token-exchange and database-write steps in each callback handler [ref_id=1]. For the calendar API, the advisory recommends adding explicit CSRF tokens or checksum validation headers (similar to what TRPC endpoints use) and avoiding `SameSite=none` on sensitive endpoints [ref_id=2].

Preconditions

  • authVictim must have an active session cookie (next-auth.session-token) for the Cal.com instance
  • inputFor OAuth CSRF: attacker must obtain their own valid OAuth authorization code for an exempt app (basecamp3, webex, etc.)
  • configFor calendar API CSRF: Cal.com must be deployed under HTTPS (triggers SameSite=none cookie policy)
  • networkAttacker must trick the victim into visiting a crafted URL (OAuth CSRF) or a malicious page that issues a cross-origin fetch (calendar API CSRF)

Reproduction

**OAuth CSRF (ref_id=1):** 1. Set up a local Cal.com instance (PostgreSQL at `localhost:5450/calendso`). 2. Run the provided `poc_exploit_oauth_csrf.py` script, which creates a victim user, injects a session token, and inserts mock Basecamp3 app keys. 3. The script sends a GET to `http://localhost:3000/api/integrations/basecamp3/callback?code=VULNERABLE_STOLEN_CODE` with the victim's session cookie. 4. Observe status 400 with `{"message":"Error with Basecamp 3 API"}` — the script reports `[EXPLOIT SUCCESS]`, confirming the backend attempted the token swap and database bind before any CSRF validation [ref_id=1].

**Calendar API CSRF (ref_id=2):** 1. Set up a local Cal.com instance (same DB). 2. Run `poc_exploit_csrf.py`, which creates a victim user and session. 3. The script POSTs `{"integration":"apple_calendar","externalId":"attacker-controlled-cal",...}` with `Content-Type: text/plain` and the victim's cookie to `http://localhost:3000/api/availability/calendar`. 4. Status 200 is returned, and the script verifies the `SelectedCalendar` row was inserted — `[EXPLOIT SUCCESS]` [ref_id=2].

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.