Tracked as CVE-2026-23478, this vulnerability affects versions from 3.1.6 up to but not including 6.0.7, with patches available in version 6.0.7 and later.
The vulnerability resides in a custom NextAuth JWT callback that improperly handles client-controlled identity fields during session updates.
When the trigger condition is set to “update,” the callback writes user-supplied data directly into the JSON Web Token without server-side validation.
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-23478 |
| Affected Versions | >= 3.1.6 < 6.0.7 |
| CVSS v4 Score | Critical / 10 |
| Attack Vector | Network |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-639 | Authorization Bypass Through User-Controlled Key |
An attacker can execute a single API call to the session.update({email: “victim@example.com”}), which modifies the JWT to contain both the attacker’s subject identifier (sub: attackerId) and the victim’s email address.
Subsequent requests using this manipulated JWT authenticate as the victim because the application queries the user database using the attacker-controlled token email field.
The session is constructed entirely from the victim’s database record, granting immediate full authenticated access.
Security controls such as two-factor authentication and external identity provider associations do not prevent this attack, as the compromise occurs at the session token level after successful authentication.
Successful exploitation grants attackers complete control over victim accounts, including access to all bookings, event types, integrations, organization memberships, billing information, and administrative privileges.
The attack requires only knowledge of the target’s email address and a single API call, making it trivial to execute at scale. Cal.com immediately patched hosted deployments upon discovery.
Security researcher reported the vulnerability jaydns through Veri-Labs, and maintainers state they do not indicate active exploitation in the wild.
According to the advisory, organizations running self-hosted Cal.com instances must upgrade to version 6.0.7 or later immediately to mitigate this critical risk.
The flaw demonstrates how client-side control of server-side security mechanisms can undermine entire authentication architectures, even in platforms with robust security features.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Cal.com Vulnerability Let Attackers Bypass Authentication and Hijack any User Account appeared first on Cyber Security News.
Full spoilers follow for Daredevil: Born Again Season 2, Episode 7, "The Hateful Darkness," which…
Speaking at iicon today, a new conference for video game executives, Take-Two CEO Strauss Zelnick…
JOHNSON COUNTY, Ind. (WOWO) — Residents and emergency crews are working through the aftermath of…
INDIANAPOLIS, Ind. (WOWO) — On Tuesday, Indiana Governor Mike Braun announced IN AI. “IN AI…
James Comey speaks onstage at 92NY on May 30, 2023 in New York City. (Photo…
Some residents and city leaders pushing back on a housing development project slated across from…
This website uses cookies.