A critical authentication bypass vulnerability in Cal.com’s scheduling platform enables attackers to hijack any user account by exploiting a flaw in the NextAuth JWT callback mechanism.
Tracked as CVE-2026-23478, this vulnerability affects versions from 3.1.6 up to but not including 6.0.7, with patches available in version 6.0.7 and later.
The vulnerability resides in a custom NextAuth JWT callback that improperly handles client-controlled identity fields during session updates.
When the trigger condition is set to “update,” the callback writes user-supplied data directly into the JSON Web Token without server-side validation.
DetailInformationCVE IDCVE-2026-23478Affected Versions>= 3.1.6 < 6.0.7CVSS v4 ScoreCritical / 10Attack VectorNetworkCWE-602Client-Side Enforcement of Server-Side SecurityCWE-639Authorization Bypass Through User-Controlled Key
An attacker can execute a single API call to the session.update({email: “victim@example.com”}), which modifies the JWT to contain both the attacker’s subject identifier (sub: attackerId) and the victim’s email address.
Subsequent requests using this manipulated JWT authenticate as the victim because the application queries the user database using the attacker-controlled token email field.
The session is constructed entirely from the victim’s database record, granting immediate full authenticated access.
Security controls such as two-factor authentication and external identity provider associations do not prevent this attack, as the compromise occurs at the session token level after successful authentication.
Impact and Response
Successful exploitation grants attackers complete control over victim accounts, including access to all bookings, event types, integrations, organization memberships, billing information, and administrative privileges.
The attack requires only knowledge of the target’s email address and a single API call, making it trivial to execute at scale. Cal.com immediately patched hosted deployments upon discovery.
Security researcher reported the vulnerability jaydns through Veri-Labs, and maintainers state they do not indicate active exploitation in the wild.
According to the advisory, organizations running self-hosted Cal.com instances must upgrade to version 6.0.7 or later immediately to mitigate this critical risk.
The flaw demonstrates how client-side control of server-side security mechanisms can undermine entire authentication architectures, even in platforms with robust security features.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Cal.com Vulnerability Let Attackers Bypass Authentication and Hijack any User Account appeared first on Cyber Security News.
