PatchSiren cyber security CVE debrief
CVE-2026-9304 calcom CVE debrief
A Server-Side Request Forgery (SSRF) vulnerability exists in the Logo API component of calcom cal.diy versions up to 4.9.4. The vulnerability resides in the `validateUrlForSSRF` function within `apps/web/app/api/logo/route.ts`. An attacker with low privileges can remotely manipulate this function to induce the server to make unauthorized requests to internal or external resources. The CVSS 4.0 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, and low impacts across confidentiality, integrity, and availability. The exploit has been publicly released, though the attack is characterized as highly complex with difficult exploitability. The vendor was contacted prior to disclosure but did not respond.
- Vendor
- calcom
- Product
- cal.diy
- CVSS
- LOW 1.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Organizations running calcom cal.diy instances version 4.9.4 or earlier, particularly those exposing the Logo API to untrusted users or hosting sensitive internal services reachable from application servers.
Technical summary
The `validateUrlForSSRF` function in `apps/web/app/api/logo/route.ts` fails to adequately prevent SSRF attacks, allowing authenticated attackers with low privileges to induce the server to make requests to arbitrary destinations. The vulnerability affects cal.diy versions up to 4.9.4. Attack complexity is high and exploitability is rated as difficult, limiting practical exploitation despite public exploit availability.
Defensive priority
LOW
Recommended defensive actions
- Upgrade calcom cal.diy to a version newer than 4.9.4 when available
- Review and strengthen SSRF protections in the Logo API `validateUrlForSSRF` function
- Implement strict URL validation with allowlist-based approaches for logo fetching
- Deploy network segmentation to limit internal resource exposure from application servers
- Monitor for anomalous outbound requests from cal.diy application instances
- Consider blocking or rate-limiting logo API endpoints if not business-critical pending patch
- Review application logs for suspicious URL patterns in logo API requests
Evidence notes
Vulnerability classified as CWE-918 (Server-Side Request Forgery). CVSS 4.0 score of 1.3 reflects LOW severity due to high attack complexity and limited impact. Public exploit availability confirmed via Vuldb references.
Official resources
Public disclosure occurred on 2026-05-23 with exploit release. Vendor non-response to pre-disclosure contact.