CVE-2026-23478

Critical

Published: 13 January 2026

Published

13 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23478 is a critical-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Cal Cal.Com. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the authentication bypass by identifying, reporting, and applying patches such as upgrading Cal.com to version 6.0.7 or later.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent attackers from gaining unauthorized access to any user's account via manipulated session updates.

SI-10 Information Input Validation good match

prevent

Validates user-supplied inputs like target email addresses in the session.update() function to block authorization bypass through user-controlled keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a critical authentication bypass in a public-facing web application (Cal.com scheduling software), enabling unauthenticated remote attackers to impersonate any user via session manipulation, directly matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update().…

This vulnerability is fixed in 6.0.7.

Deeper analysisAI

CVE-2026-23478 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. It affects versions from 3.1.6 up to but not including 6.0.7, stemming from a flaw in a custom NextAuth JWT callback. Attackers can supply a target email address via the session.update() function to gain full authenticated access to any user's account. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By manipulating the session update mechanism, they achieve complete impersonation of any target user, enabling unauthorized access to sensitive scheduling data, account modifications, and potential further compromise within the application.

The official Cal.com security advisory (https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg) documents the vulnerability, confirming it is fixed in version 6.0.7. Administrators should immediately upgrade to 6.0.7 or later to mitigate the risk.