## Critical Authentication Bypass in miconsu.app Booking API Allows Unauthorized Calendar Access
A critical security flaw has been identified in the `/api/booking/create` endpoint of miconsu.app, leaving the booking system entirely unprotected. Security researchers note the endpoint lacks any session verification, allowing anonymous users to submit booking requests without authentication. The vulnerability permits an attacker to inject an arbitrary `userId` directly into the request body, effectively hijacking the booking flow for any registered user on the platform.

The flaw specifically affects the file `apps/web/src/app/api/booking/create/route.ts`, where the API uses the attacker-supplied `userId` to retrieve the victim's stored Google Calendar access tokens. By crafting a malicious POST request, an unauthorized actor can create calendar events on behalf of any user, schedule fake appointments, and manipulate the victim's scheduling data without their knowledge or consent. The vulnerability also introduces a user enumeration risk: attackers can systematically probe the system by observing whether requests return 200 (user exists) or 404 (user not found) responses, enabling targeted reconnaissance against the user base.

The implications extend beyond individual account compromise. If exploited at scale, the flaw could undermine trust in the platform's booking system, expose sensitive appointment data, and potentially facilitate social engineering or fraud against users who rely on calendar integrity. Security teams have flagged the need for session-based authentication, recommending implementation of cookie token verification and `verifySession` middleware to enforce legitimate user context. The miconsu.app development team has been notified and is expected to issue a patch addressing the IDOR vulnerability and adding proper authorization controls before the flaw can be weaponized in the wild.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: api-security, idor, authentication-bypass, google-calendar, vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-02 07:54:08
- **ID**: 78981
- **URL**: https://whisperx.ai/en/intel/78981