- Description
- Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- cal.com
CVSS 4.0
- Type
- Secondary
- Base score
- 9.9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-303
- Hype score
- Not currently trending
#VulnerabilityReport #2FAbypass Critical https://t.co/clXOdfTEnT Flaw (CVE-2025-66489, CVSS 9.9) Allows Authentication Bypass by Submitting Fake TOTP Codes https://t.co/8jPTloqHqN
@Komodosec
14 Jan 2026
25 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical flaw (CVE-2025-66489) in Cal. com allowed attackers to bypass authentication by submitting any non-empty TOTP field. Versions up to 5.9.7 were affected. Upgrade to 5.9.8 to restore proper password + TOTP validation. How should platforms better validate MFA logic? htt
@TechNadu
9 Dec 2025
77 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨:CVE-2025-66489(CVSS 9.9): Critical https://t.co/35GmBAkM6D Flaw Allows Authentication Bypass by Submitting Fake TOTP Codes 🧐Detail:https://t.co/tlIDEzLsKh 📊15.2K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/GePbgtG7RM
@HunterMapping
9 Dec 2025
4340 Impressions
10 Retweets
64 Likes
24 Bookmarks
2 Replies
0 Quotes
🚨🚨CVE-2025-66489 (CVSS 9.9): https://t.co/Bc24fzUHWX Authentication Bypass If an attacker supplies any TOTP code during login, the password check is completely skipped thanks to broken conditional logic. Search by vul.cve Filter👉vul.cve="CVE-2025-66489" ZoomEye https://
@zoomeye_team
8 Dec 2025
11528 Impressions
10 Retweets
88 Likes
60 Bookmarks
0 Replies
2 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97D8E07A-0C42-4AD4-8270-3929F5A4D472",
"versionEndExcluding": "5.9.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]