Cal.com is a multi-tenant scheduling software-as-a-service (SaaS) platform designed to handle complex booking and calendar management workflows across healthcare, financial services, and enterprise sectors. The platform provides a unified scheduling infrastructure that enables organizations to manage appointments, deal flow, and calendar data through a centralized system.
Cal.com operates as a scheduling platform serving multiple verticals with specialized requirements for appointment management and calendar integration. The platform supports healthcare provider scheduling, financial services deal-flow management, and enterprise calendar coordination. As a multi-tenant architecture, Cal.com serves multiple organizations through a shared infrastructure while maintaining data separation and organizational isolation.
The platform's architecture is designed to handle the complexity of modern scheduling scenarios, including calendar synchronization, availability management, booking confirmation workflows, and integration with existing organizational systems. The system manages sensitive data including personally identifiable information (PII), medical appointment details, and financial transaction scheduling information.
Cal.com maintained an open-source production codebase that reached significant scale and adoption within the developer community. The codebase accumulated approximately 30,000 stars on GitHub, indicating substantial community engagement and reliance on the platform. The open-source model allowed organizations to self-host Cal.com instances and contributed to transparency regarding the platform's technical implementation.
The multi-tenant design enables the platform to serve diverse customer bases while managing the technical challenges associated with data isolation, performance optimization across multiple organizations, and maintaining consistent service levels for all tenants.
In January 2026, Gecko Security identified critical access control vulnerabilities within Cal.com's codebase 1).
These vulnerabilities presented significant risks to the platform's users and their data security posture. The identified vulnerabilities enabled account takeover attacks, allowing unauthorized actors to gain access to user accounts and the sensitive scheduling information contained within those accounts. Additionally, the vulnerabilities permitted exposure of personally identifiable information across the multi-tenant platform, potentially affecting healthcare records, financial transaction details, and other sensitive organizational data stored within Cal.com instances.
The specific access control vulnerabilities allowed attackers to bypass authentication and authorization mechanisms that should have restricted access to user accounts and associated sensitive data. Account takeover capabilities represented a particularly severe threat vector, as successful exploitation could enable attackers to assume complete control of victim accounts, including the ability to view, modify, or delete calendar data and associated scheduling information.
PII exposure risks stemmed from inadequate authorization checks that permitted unauthorized access to personal information stored within user profiles and calendar systems. This posed compliance risks under data protection regulations and created potential for identity theft and targeted attacks against affected users.
Cal.com v6.0.8 was released as a critical security release to remediate the identified access control defects. The patches implemented in v6.0.8 modified access control logic to enforce proper authorization checks across user account operations and data retrieval functions. Organizations deploying Cal.com were advised to upgrade to this version to eliminate the attack surface created by the unpatched vulnerabilities.
The specific implementation details of the access control fixes involved strengthening validation mechanisms to ensure that users could only access calendar data and account functions they were explicitly authorized to view or modify. This included revision of permission checking logic across both API endpoints and web interface controllers.
The vulnerability discovery and subsequent patching process demonstrated the company's response mechanisms to identified security threats and its commitment to user protection through rapid security updates.