{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23478", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T15:47:41.627Z", "datePublished": "2026-01-13T21:37:35.541Z", "dateUpdated": "2026-01-14T16:56:25.582Z"}, "containers": {"cna": {"title": "Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback", "problemTypes": [{"descriptions": [{"cweId": "CWE-602", "lang": "en", "description": "CWE-602: Client-Side Enforcement of Server-Side Security", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg"}], "affected": [{"vendor": "calcom", "product": "cal.com", "versions": [{"version": ">= 3.1.6, < 6.0.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T21:37:35.541Z"}, "descriptions": [{"lang": "en", "value": "Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7."}], "source": {"advisory": "GHSA-7hg4-x4pr-3hrg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T16:56:18.762218Z", "id": "CVE-2026-23478", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T16:56:25.582Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback", "source": {"advisory": "GHSA-7hg4-x4pr-3hrg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "calcom", "product": "cal.com", "versions": [{"status": "affected", "version": ">= 3.1.6, < 6.0.7"}]}], "references": [{"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg", "name": "https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602: Client-Side Enforcement of Server-Side Security"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-13T21:37:35.541Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23478", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T16:56:18.762218Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-14T16:56:22.616Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-23478", "state": "PUBLISHED", "dateUpdated": "2026-01-13T21:37:35.541Z", "dateReserved": "2026-01-13T15:47:41.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-13T21:37:35.541Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8E43A63-8355-4FDF-ABBE-E5A47329CB33", "versionEndExcluding": "6.0.7", "versionStartIncluding": "3.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7."}], "id": "CVE-2026-23478", "lastModified": "2026-02-03T19:29:07.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-13T22:16:08.093", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:25:54.512980+00:00", "value": {"mitigation_remediation": ["Upgrade to Cal.com 6.0.7 or later, which implements proper email validation in the JWT callback. ", "If upgrading is not immediately possible, remove or restrict the custom JWT callback to enforce strict email verification before session updates. ", "Immediately audit accounts that might have been accessed via the flaw, invalidate suspected tokens, and reset passwords."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The flaw affects Cal.com versions ranging from 3.1.6 through 6.0.6. The open\u2011source scheduling platform is used by organizations relying on secure user authentication. Version 6.0.7 and later include the fix that validates the email prior to updating the session.", "description_and_impact": "The vulnerability resides in Cal.com's custom NextAuth JWT callback. An attacker can supply any email address to the session.update() function without validation, allowing them to assume the identity of any user. This bypasses authentication and grants full access to that account, enabling the attacker to view or modify confidential data, schedule appointments, and potentially impersonate the user in future interactions. The underlying weakness aligns with CWE\u2011602 and CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 10 marks this as a critical flaw. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because no special conditions are required beyond sending a crafted request to the JWT callback, an attacker with network access could exploit the issue. The lack of input validation makes this a straightforward authentication bypass."}}}}, "created": "2026-01-14T11:08:34.507982+00:00", "updated": "2026-04-18T06:30:25.909261+00:00", "vendors": ["cal", "cal$PRODUCT$cal.com"]}