CVE-2026-23478 Overview
CVE-2026-23478 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. The vulnerability exists in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This flaw enables complete account takeover without requiring any prior authentication or user interaction.
Critical Impact
Attackers can achieve full account takeover of any Cal.com user by exploiting the insecure JWT callback implementation, potentially compromising all scheduled appointments, integrations, and personal data.
Affected Products
- Cal.com versions 3.1.6 through 6.0.6
- Self-hosted Cal.com instances running vulnerable versions
- Cal.com deployments using the default NextAuth configuration
Discovery Timeline
- 2026-01-13 - CVE CVE-2026-23478 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-23478
Vulnerability Analysis
This vulnerability is classified under CWE-602: Client-Side Enforcement of Server-Side Security. The flaw resides in the custom NextAuth JWT callback implementation within Cal.com's authentication flow. The vulnerable code improperly trusts client-provided data during session updates, allowing an attacker to modify their session to impersonate any other user.
The core issue is that the JWT callback accepts user-supplied email addresses through the session.update() function without proper server-side validation. When a user triggers a session update, the application fails to verify that the email address being set actually belongs to the authenticated user, enabling arbitrary account access.
Root Cause
The root cause is the improper validation of user-controlled input in the NextAuth JWT callback. The application relies on client-side enforcement rather than server-side verification when processing session updates. This design flaw allows attackers to bypass authentication entirely by directly specifying a target user's email address in the session update request.
The vulnerability stems from trusting the client to provide only legitimate session data. Server-side validation should verify that any email address changes during session updates correspond to the currently authenticated user's verified identity.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Establishing a session with the Cal.com application
- Calling session.update() with a target user's email address
- Receiving a valid session token for the target account
- Gaining full authenticated access to the victim's account
The exploitation is straightforward and does not require complex technical knowledge. An attacker simply needs to know the email address of their target to gain complete access to that user's account, including all scheduling data, integrations, and personal information. For additional technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-23478
Indicators of Compromise
- Unusual session update requests containing email addresses different from the authenticated user
- Multiple session tokens being generated for the same account from different IP addresses or locations
- Access to accounts from IP addresses not associated with the legitimate user's history
- Anomalous API calls to session.update() endpoints with varying email parameters
Detection Strategies
- Monitor authentication logs for session update requests that modify email addresses
- Implement alerting for accounts accessed from multiple geographic locations within short timeframes
- Analyze API request patterns for unusual session.update() call frequencies
- Review access logs for accounts showing sudden changes in access patterns or device fingerprints
Monitoring Recommendations
- Enable detailed logging for all authentication-related API endpoints
- Implement real-time monitoring for session manipulation attempts
- Configure alerts for accounts that exhibit signs of unauthorized access
- Establish baseline user behavior patterns to detect anomalies indicative of account takeover
How to Mitigate CVE-2026-23478
Immediate Actions Required
- Upgrade Cal.com to version 6.0.7 or later immediately
- Audit authentication logs for signs of exploitation
- Force session invalidation for all users after patching
- Review any suspicious account activity that may indicate prior compromise
Patch Information
Cal.com has addressed this vulnerability in version 6.0.7. The fix implements proper server-side validation in the NextAuth JWT callback to ensure that session updates cannot be used to impersonate other users. Organizations should update to this version immediately to protect against exploitation.
For detailed patch information and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to Cal.com instances to trusted networks only until patching is complete
- Implement additional authentication layers such as multi-factor authentication
- Monitor for suspicious session activity and terminate unauthorized sessions manually
- Consider temporarily disabling the session update functionality if possible without impacting core operations
# Upgrade Cal.com to patched version
npm update @calcom/web@6.0.7
# Or update via yarn
yarn upgrade @calcom/web@6.0.7
# Invalidate all existing sessions after upgrade
# This forces all users to re-authenticate with the patched version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
