CVE-2025-66489 CRITICAL

CVE-2025-66489: Cal.com Authentication Bypass via bad TOTP + password checks

Vendor Calcom
Product cal.com
Weakness CWE-303
Published December 3, 2025
Last update December 3, 2025

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N

What the vulnerability does

01Description

Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.

Key dates

02Disclosure timeline

December 3, 2025 CVE published
December 3, 2025 Record updated