calcom cal.diy Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps information disclosure

Vulnerability

In cal.com/cal.diy up to version 4.9.4, the getServerSideProps function in apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx and the corresponding TRPC handler fail to sanitize the cancelledBy and rescheduledBy properties of the bookingInfo payload. When the hideOrganizerEmail privacy setting is enabled, the organizer's email is still exposed through these properties, leading to information disclosure [1].

Exploitation

An unauthenticated attacker can remotely trigger the vulnerability by accessing a booking page (e.g., /booking/[uid]). When an organizer cancels or reschedules a booking, the raw email address of the organizer is included in the server-side rendered (SSR) page payload and TRPC API responses. No authentication or special privileges are required beyond knowledge of a valid booking UID [1].

Impact

Successful exploitation allows an attacker to retrieve the private email address of an event organizer who has explicitly enabled the hideOrganizerEmail protection. This compromises user privacy and may enable further targeted attacks such as phishing or social engineering [1].

Mitigation

As of the publication date, no official fix is available. The vendor was contacted but did not respond. Users are advised to disable the hideOrganizerEmail feature as a temporary workaround, or manually apply sanitization to the cancelledBy and rescheduledBy fields in the codebase. The vulnerability is publicly known and may be actively exploited [1].