Gecko Security is a security research firm known for conducting vulnerability assessments and security audits of cloud-based software platforms. The firm gained prominence in early 2026 following the discovery of critical access control vulnerabilities in a major calendar and scheduling platform.
Gecko Security operates as an independent security research organization focused on identifying and documenting vulnerabilities in widely-deployed software systems. The firm conducts detailed technical analysis of security implementations and publishes comprehensive vulnerability reports to inform affected organizations and the broader security community about identified issues and their potential impact.
On January 26, 2026, Gecko Security published findings regarding three chained access control vulnerabilities discovered in Cal.com Cloud 1). These vulnerabilities were classified as particularly severe due to their cascading nature and the sensitive data exposed.
The identified vulnerabilities included multiple Insecure Direct Object Reference (IDOR) flaws, a common category of access control weakness where applications fail to properly validate user authorization before exposing resources. The vulnerabilities enabled unauthorized access to millions of booking records containing personally identifiable information (PII) across the Cal.com Cloud platform 2).
The chained nature of these vulnerabilities was particularly critical, as they could be exploited in sequence to achieve complete account takeover capabilities. Rather than exposing isolated data elements, the vulnerability chain allowed attackers to escalate privileges and gain full control of compromised user accounts 3). This represented a significant compromise of the confidentiality, integrity, and availability of user accounts and associated data.
The scale of affected records—spanning millions of bookings—indicated the vulnerability impacted a substantial portion of the Cal.com Cloud user base during the period of exposure.
Gecko Security published a detailed technical vulnerability report documenting their findings. Such reports typically include:
* Vulnerability description and classification according to established frameworks such as OWASP or CVSS * Technical methodology explaining how the vulnerabilities were discovered and exploited * Proof-of-concept demonstrations showing the attack chain in practice * Impact assessment quantifying affected users and exposed data categories * Remediation recommendations for affected organizations
The publication of detailed findings serves multiple purposes within the security community: informing affected organizations of critical issues requiring immediate remediation, educating security practitioners about common vulnerability patterns, and raising awareness about the importance of robust access control mechanisms in cloud platforms.
The discovery highlighted the importance of defense-in-depth approaches to access control, where multiple independent security layers prevent unauthorized access even if individual controls are compromised. The chained nature of the vulnerabilities demonstrated how multiple weaknesses, when exploited sequentially, can produce outcomes more severe than any individual vulnerability would suggest.
This case exemplifies ongoing challenges in cloud security, particularly around the implementation of authorization logic in multi-tenant systems where proper isolation between user accounts is critical to system security.