CVE-2026-9349 calcom CVE debrief

Who should care

Organizations running calcom cal.diy instances up to version 4.9.4, particularly those exposing booking management interfaces to external users. Security teams should prioritize patching and input validation improvements.

Technical summary

The vulnerability exists in the server-side rendering path of a Next.js/React application. The `getServerSideProps` function in `bookings-single-view.getServerSideProps.tsx` fails to properly validate or authorize access when processing `cancelledBy` and `rescheduledBy` parameters. An unauthenticated remote attacker can manipulate these parameters to disclose information beyond their authorization scope. The CVSS 4.0 score of 5.5 reflects network accessibility with low confidentiality impact. The presence of a public exploit (disclosed via GitHub Gist) elevates practical risk despite medium severity scoring.

Defensive priority

medium

Recommended defensive actions

• Upgrade calcom cal.diy to a version beyond 4.9.4 when a patched release becomes available
• Review and validate input sanitization for cancelledBy and rescheduledBy parameters in getServerSideProps functions
• Implement server-side validation to ensure users can only access their own booking cancellation and rescheduling data
• Monitor application logs for anomalous access patterns to booking-related endpoints
• Apply principle of least privilege to booking data access controls
• Consider implementing additional authentication checks for sensitive booking operations

Evidence notes

Vulnerability identified in calcom cal.diy ≤4.9.4 via getServerSideProps function. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, with low confidentiality impact. CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) classified. Exploit publicly available per Vuldb submission.

Official resources