CVE-2026-23478

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update().…

This vulnerability is fixed in 6.0.7.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the authentication bypass by identifying, reporting, and applying patches such as upgrading Cal.com to version 6.0.7 or later.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent attackers from gaining unauthorized access to any user's account via manipulated session updates.

SI-10 Information Input Validation good match

prevent

Validates user-supplied inputs like target email addresses in the session.update() function to block authorization bypass through user-controlled keys.

Security SummaryAI

CVE-2026-23478 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. It affects versions from 3.1.6 up to but not including 6.0.7, stemming from a flaw in a custom NextAuth JWT callback. Attackers can supply a target email address via the session.update() function to gain full authenticated access to any user's account. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By manipulating the session update mechanism, they achieve complete impersonation of any target user, enabling unauthorized access to sensitive scheduling data, account modifications, and potential further compromise within the application.

The official Cal.com security advisory (https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg) documents the vulnerability, confirming it is fixed in version 6.0.7. Administrators should immediately upgrade to 6.0.7 or later to mitigate the risk.

Details

CWE(s): CWE-602 CWE-639

Affected Products

cal

cal.com

3.1.6 — 6.0.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a critical authentication bypass in a public-facing web application (Cal.com scheduling software), enabling unauthenticated remote attackers to impersonate any user via session manipulation, directly matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg
Third Party Advisory · security-advisories@github.com