Cyber Resilience

CVE-2026-23478

Critical

Published: 13 January 2026

Published
13 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23478 is a critical-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Cal Cal.Com. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23478 is a critical authentication bypass vulnerability in Cal.com, an open-source scheduling software. It affects versions from 3.1.6 up to but not including 6.0.7, stemming from a flaw in a custom NextAuth JWT callback. Attackers can supply a target email address via the session.update() function to gain full authenticated access to any user's account. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required. By manipulating the session update mechanism, they achieve complete impersonation of any target user, enabling unauthorized access to sensitive scheduling data, account modifications, and potential further compromise within the application.

The official Cal.com security advisory (https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg) documents the vulnerability, confirming it is fixed in version 6.0.7. Administrators should immediately upgrade to 6.0.7 or later to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update().…

more

This vulnerability is fixed in 6.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a critical authentication bypass in a public-facing web application (Cal.com scheduling software), enabling unauthenticated remote attackers to impersonate any user via session manipulation, directly matching exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66489Same product: Cal Cal.Com
CVE-2026-41471Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639
CVE-2024-50685Shared CWE-639
CVE-2019-25235Shared CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-33511Shared CWE-639
CVE-2026-40600Shared CWE-639

Affected Assets

cal
cal.com
3.1.6 — 6.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authentication bypass by identifying, reporting, and applying patches such as upgrading Cal.com to version 6.0.7 or later.

prevent

Enforces approved authorizations to prevent attackers from gaining unauthorized access to any user's account via manipulated session updates.

prevent

Validates user-supplied inputs like target email addresses in the session.update() function to block authorization bypass through user-controlled keys.

References