Unverified Google Calendar Webhook Allows Forced Sync Injection in Cal.com Platform

A critical security gap has been identified in the Cal.com platform's Google Calendar webhook endpoint, potentially exposing users to unauthorized calendar manipulation. The vulnerability, classified as HIGH severity, exists in the `/api/webhook/google-calendar` route, where incoming webhook requests bypass essential signature verification. The endpoint only confirms the presence of an `X-Goog-Channel-ID` header against existing database records, without validating an HMAC signature or shared secret—authentication measures that Google Calendar push notifications do not include by default.

The flaw stems from a predictable channel ID generation pattern: identifiers follow the format `<prefix>-<24-char-userId>` and are discoverable through application logs or error responses. An attacker who obtains or correctly guesses a valid channel ID can POST forged webhook payloads to trigger forced full Google Calendar synchronizations for any user on the platform. This creates multiple attack vectors: injection of unauthorized appointments into the database, triggering repeated re-syncs that exhaust Google API quota (denial of service), or disrupting legitimate calendar operations through malicious data insertion.

The security researcher documented a proof-of-concept exploit demonstrating how a simple curl request with a forged `X-Goog-Channel-ID` header can initiate an unauthorized sync. While the vulnerability requires knowledge of a specific user's channel ID, the predictable generation scheme significantly lowers the barrier for targeted attacks. The recommended remediation involves implementing a cryptographically random secret during watch channel registration, which would enable proper signature validation on incoming notifications and prevent spoofed requests from reaching the sync logic.