Critical Cal.com Flaw Lets Attackers Hijack User Vulnerability Bypass
A critical authentication bypass vulnerability impacting Cal.com’s scheduling platform allows attackers to hijack any user account. This flaw exploits a weakness in the NextAuth JWT callback...
A critical authentication bypass vulnerability impacting Cal.com’s scheduling platform allows attackers to hijack any user account. This flaw exploits a weakness in the NextAuth JWT callback mechanism.
Tracked as CVE-2026-23478, this vulnerability affects versions from 3.1.6 up to but not including 6.0.7, with patches available in version 6.0.7 and later.
The vulnerability resides in a custom NextAuth JWT callback that improperly handles client-controlled identity fields during session updates.
When the trigger condition is set to “update,” the callback writes user-supplied data directly into the JSON Web Token without server-side validation.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-23478 |
| Affected Versions | >= 3.1.6 < 6.0.7 |
| CVSS v4 Score | Critical / 10 |
| Attack Vector | Network |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-639 | Authorization Bypass Through User-Controlled Key |
An attacker can execute a single API call to the session.update({email: “[email protected]”}), which modifies the JWT to contain both the attacker’s subject identifier (sub: attackerId) and the victim’s email address.
Subsequent requests using this manipulated JWT authenticate as the victim because the application queries the user database using the attacker-controlled token email field.
The session is constructed entirely from the victim’s database record, granting immediate full authenticated access.
Security controls such as two-factor authentication and external identity provider associations do not prevent this attack, as the compromise occurs at the session token level after successful authentication.
Impact and Response
Successful exploitation grants attackers complete control over victim accounts, including access to all bookings, event types, integrations, organization memberships, billing information, and administrative privileges.
The attack requires only knowledge of the target’s email address and a single API call, making it trivial to execute at scale. Cal.com immediately patched hosted deployments upon discovery.
Security researcher reported the vulnerability jaydns through Veri-Labs, and maintainers state they do not indicate active exploitation in the wild.
According to the advisory, organizations running self-hosted Cal.com instances must upgrade to version 6.0.7 or later immediately to mitigate this critical risk.
The flaw demonstrates how client-side control of server-side security mechanisms can undermine entire authentication architectures, even in platforms with robust security features.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.