Establishing an information-theoretic secret key between two parties using a quantum key distribution (QKD) system is only possible when an accurate characterization of the quantum channel and proper device calibration routines are combined. Indeed, security loopholes due to inappropriate calibration routines have been shown for discrete-variable QKD. Here, we propose and provide experimental evidence of an attack targeting the local oscillator calibration routine of a continuous-variable QKD system. The attack consists in manipulating the classical local oscillator pulses during the QKD run in order to modify the clock pulses used at the detection stage. This allows the eavesdropper to bias the shot noise estimation usually performed using a calibrated relationship. This loophole can be used to perform successfully an intercept-resend attack. We characterize the loophole and suggest possible countermeasures.