CVE-2026-9349 Overview
CVE-2026-9349 is an information disclosure vulnerability affecting Cal.com (calcom/cal.diy) versions up to 4.9.4. The flaw resides in the getServerSideProps function within apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx, part of the Generic React API component. Attackers can manipulate the cancelledBy or rescheduledBy arguments to retrieve sensitive information without authentication. The exploit has been publicly disclosed and is remotely reachable over the network. The vendor was contacted prior to disclosure but did not respond. This issue is tracked under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Unauthenticated remote attackers can disclose booking-related information by manipulating user-controlled parameters in the server-side rendering function.
Affected Products
- Cal.com cal.diy versions through 4.9.4
- Component: Generic React API (bookings-single-view.getServerSideProps.tsx)
- Module: apps/web/modules/bookings/views
Discovery Timeline
- 2026-05-24 - CVE-2026-9349 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9349
Vulnerability Analysis
The vulnerability exists in the Next.js getServerSideProps handler used to render the bookings single-view page. This function executes on the server for each request and returns props consumed by the React page component. Because getServerSideProps runs with backend privileges, any data it returns becomes accessible to the requesting client. The handler accepts the cancelledBy and rescheduledBy query parameters without sufficient authorization checks. As a result, an unauthenticated attacker can craft requests that cause the server to return information beyond what the requester should see.
Root Cause
The root cause is improper access control on user-supplied parameters passed to a server-side data-fetching routine. The cancelledBy and rescheduledBy arguments are trusted and incorporated into backend lookups without verifying the requester's relationship to the referenced booking or user. This category falls under [CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor. The Generic React API surface returns server-resolved properties directly into the page payload, so any leaked record becomes visible in the response body.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests to the bookings single-view route, supplying chosen values for the cancelledBy or rescheduledBy parameters. The server processes these inputs in getServerSideProps and returns booking metadata in the rendered response. A publicly available proof-of-concept demonstrating this manipulation has been published on GitHub Gist. Additional technical context is available in the VulDB Vulnerability #365312 entry.
Detection Methods for CVE-2026-9349
Indicators of Compromise
- Unusual HTTP GET requests to bookings single-view endpoints containing cancelledBy or rescheduledBy query parameters with enumerated values.
- Repeated requests from the same source IP iterating across user identifiers or booking IDs in these parameters.
- Server responses for booking pages returning data for users unrelated to the authenticated session, or to requests with no session at all.
Detection Strategies
- Inspect web access logs for high-volume parameter fuzzing patterns against /bookings/ routes, particularly varying values of cancelledBy and rescheduledBy.
- Deploy WAF rules that flag unauthenticated requests carrying these parameters and alert on response payload sizes that suggest sensitive data exposure.
- Correlate application logs of getServerSideProps execution against expected user-to-booking ownership records to identify unauthorized data resolution.
Monitoring Recommendations
- Enable verbose request logging on the Cal.com web tier and forward logs to a centralized analytics platform for anomaly review.
- Monitor egress data volume from the application server, since enumeration-style information disclosure can produce abnormal response patterns.
- Track 200-status responses to anonymous sessions on booking detail routes and alert on sustained access patterns.
How to Mitigate CVE-2026-9349
Immediate Actions Required
- Restrict public access to the bookings single-view route at the edge or reverse proxy until a patched build is deployed.
- Add authorization checks in getServerSideProps to validate that the requester owns or is authorized to view the referenced booking before returning props.
- Strip or validate the cancelledBy and rescheduledBy parameters server-side and reject requests with unexpected values.
Patch Information
No vendor patch is referenced in the published advisory. The vendor was contacted but did not respond to the disclosure. Operators running Cal.com cal.diy 4.9.4 or earlier should monitor the upstream repository for fixes and apply mitigations in the interim. Refer to VulDB CTI for #365312 for ongoing intelligence updates.
Workarounds
- Place the bookings single-view route behind authentication middleware that rejects anonymous access.
- Implement a server-side allowlist for the cancelledBy and rescheduledBy parameters constrained to identifiers tied to the active session.
- Apply rate limiting on bookings endpoints to slow enumeration of user or booking identifiers.
- Audit getServerSideProps return values to ensure only fields required for rendering are included in the response payload.
# Example nginx rule to block anonymous requests carrying the vulnerable parameters
location ~ ^/bookings/ {
if ($arg_cancelledBy != "") { return 403; }
if ($arg_rescheduledBy != "") { return 403; }
proxy_pass http://calcom_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
