Other people can accept calendar invitations that they have no business accepting. In other words, with the right link, I can accept an invitation on your behalf.  Here’s a quick proof (all done using Google’s web interface):

1. Send your buddy (we will call him Ryan) a calendar invitation to a bogus event.
   

   Add guests to calendar event

2. When Ryan gets the email notification, ask him to simply reply to the message.  He doesn’t  need to write a message, just have him reply to it.
3. Now from  his reply in YOUR EMAIL, click “Yes” to accept the invitation that YOU SENT TO HIM.
   

   Click yes to add event

4. You’ve just put your own event on Ryan’s calendar, without his approval.

What’s that  about? You can imagine how this could become a problem if you were emailing several people at once.  Anyone of them could use that link to add the event to your calendar. PLUS the default settings automatically send emails to the event organizer (you, in this case), so if people want to toy with you, they can change your answer back and forth from “Yes” to “No” to “Maybe” all night long.

Works across domains too.

But you know what?  I don’t think it should work at all.

This bug was discovered by Ryan and myself while we were working late one night. Ryan asked about it in the Help Forum. No one has responded.