CVE-2026-9303: Cal.com cal.diy CSRF Vulnerability

CVE-2026-9303 Overview

CVE-2026-9303 is a Cross-Site Request Forgery (CSRF) vulnerability affecting calcom cal.diy versions up to 4.9.4 [CWE-352]. An attacker can trigger the flaw remotely by inducing an authenticated user to interact with a crafted request. The affected functionality is not publicly documented, but exploitation requires user interaction and no privileges on the target application. According to the VulDB submission, the exploit code is publicly available and the vendor did not respond to coordinated disclosure outreach.

Critical Impact

Remote attackers can perform unauthorized state-changing actions in the context of authenticated cal.diy users by leveraging publicly available proof-of-concept code.

Affected Products

• calcom cal.diy versions up to and including 4.9.4
• Deployments exposing the affected endpoint to authenticated users via browsers
• Self-hosted instances that have not applied vendor remediation

Discovery Timeline

• 2026-05-23 - CVE-2026-9303 published to NVD
• 2026-05-26 - Last updated in NVD database

Technical Details for CVE-2026-9303

Vulnerability Analysis

The vulnerability is classified under [CWE-352] Cross-Site Request Forgery. The affected cal.diy component fails to validate that state-changing HTTP requests originate from a trusted source. An attacker hosts or injects a malicious page that issues forged requests to the application. When an authenticated victim loads that page, the browser automatically attaches session cookies, and the server processes the request as legitimate. The NVD entry indicates the impacted function is undisclosed, but the consequence is unauthorized actions executed on behalf of the victim.

Root Cause

The root cause is the absence of an anti-CSRF control on at least one state-changing endpoint in cal.diy. Effective mitigations such as synchronizer tokens, double-submit cookies, SameSite cookie attributes, or origin/referer validation are either missing or improperly enforced. Without these controls, the application cannot distinguish between a request initiated by the legitimate user interface and one forged by an attacker-controlled site.

Attack Vector

Exploitation occurs over the network and requires user interaction. The attacker delivers a malicious link, embedded image, auto-submitting form, or fetch call through phishing, a watering-hole page, or a cross-origin advertisement. The victim must be authenticated to the cal.diy instance at the time of interaction. The CVSS 4.0 vector reflects low integrity impact, no confidentiality impact, and no availability impact, consistent with a CSRF that abuses application functions rather than exfiltrating data.

No verified code examples are available. Proof-of-concept material is referenced in the public GitHub PoC gist 26663d9 and GitHub PoC gist dafada3, and the VulDB Vulnerability #365250 entry.

Detection Methods for CVE-2026-9303

Indicators of Compromise

• Unexpected state changes in cal.diy resources tied to authenticated user accounts without corresponding user-driven UI activity
• HTTP requests to sensitive cal.diy endpoints carrying a Referer or Origin header pointing to untrusted third-party domains
• Spikes of identical POST or PUT requests across multiple user sessions originating from external referrers

Detection Strategies

• Inspect web server and reverse proxy logs for state-changing requests where Origin or Referer does not match the application host
• Correlate authentication session telemetry with action audit logs to flag actions that lack a preceding navigation event
• Deploy web application firewall rules that alert on cross-origin form submissions to cal.diy write endpoints

Monitoring Recommendations

• Enable verbose audit logging on all cal.diy write operations and forward logs to a centralized analytics platform
• Monitor user-reported anomalies such as unintended configuration changes, calendar modifications, or account setting updates
• Track outbound phishing campaigns and malicious URLs referencing the cal.diy host as part of brand-abuse monitoring

How to Mitigate CVE-2026-9303

Immediate Actions Required

• Inventory all cal.diy deployments and identify any instance running version 4.9.4 or earlier
• Restrict access to the application to trusted networks or behind authenticated VPN until a fix is verified
• Educate users to log out of cal.diy when not in active use and to avoid clicking untrusted links while authenticated

Patch Information

No vendor patch has been published at the time of NVD entry. The VulDB record notes that the vendor was contacted early but did not respond. Operators should track the VulDB Vulnerability #365250 entry and the upstream cal.diy repository for fixes addressing CWE-352.

Workarounds

• Configure session cookies with SameSite=Strict or SameSite=Lax at the reverse proxy or application layer to block cross-site cookie attachment
• Add a web application firewall rule that rejects state-changing requests lacking a same-origin Origin or Referer header
• Require re-authentication or step-up verification for sensitive operations within cal.diy

# Example nginx configuration enforcing same-origin for state-changing requests
map $request_method $is_write_method {
    default 0;
    POST    1;
    PUT     1;
    PATCH   1;
    DELETE  1;
}

map "$is_write_method:$http_origin" $csrf_block {
    default 0;
    "~^1:(?!https://cal\.example\.com).*" 1;
    "1:"                                  1;
}

server {
    listen 443 ssl;
    server_name cal.example.com;

    if ($csrf_block) {
        return 403;
    }

    # Harden session cookies
    proxy_cookie_flags ~ secure samesite=strict httponly;

    location / {
        proxy_pass http://cal_diy_upstream;
    }
}