CVE-2026-23478: Critical Authentication Bypass Allowing Full Account Takeover in Cal.com

Vulnerability Overview

CVE ID: CVE-2026-23478
Product: Cal.com
Vulnerability Type: Authentication Bypass / Authorization Logic Flaw
Affected Component: Custom NextAuth JWT callback and session update logic
Severity: Critical
CVSS Score: 10.0
Attack Vector: Remote (Network)
Authentication Required: No
User Interaction Required: No
Privileges Required: None
Impact: Full account takeover, including administrative accounts

Executive Summary

CVE-2026-23478 is a critical authentication bypass vulnerability in Cal.com caused by improper trust in user-supplied identity data during session updates.
The application incorrectly allows a client to influence the authenticated session identity by passing an arbitrary email address into a session update flow.

Because the backend logic does not verify that the supplied email actually belongs to the authenticated token owner, an attacker can effectively impersonate any user, including administrators.

This is a pure server-side logic failure, not a cryptographic weakness. No JWT signing keys are broken, and no passwords need to be guessed or stolen. The server simply trusts data it should never trust.

Root Cause

Cal.com uses NextAuth with a custom JWT callback to manage authentication sessions.
During a session refresh or update operation:

The backend accepts a session.update() request.
The request includes an email value.
The JWT callback uses this email to construct the session identity.
The backend fails to verify that:
- the email belongs to the JWT subject, or
- the user has re-authenticated, or
- the session owner is authorized to change identity attributes.

Why this is dangerous

Email addresses in Cal.com are primary user identifiers.
By allowing the client to supply an arbitrary email during a session update, the server essentially allows:

“Tell me who you want to be, and I’ll create a valid session for that identity.”

This leads directly to authentication bypass and account takeover.

Exploitation (Educational Explanation Only)

Exploitation concept

An attacker:

Sends a crafted request to the session update endpoint
Supplies the email address of a target user
Receives a server-issued authenticated session for that user

Because the server:

Does not re-check ownership of the email
Does not enforce identity immutability in the session
Does not require re-authentication

…the session is accepted as legitimate.

Result

Immediate login as the victim
Access to all calendars, bookings, integrations, and admin functions
Persistent access until session expiration or invalidation

Proof of Concept (Availability Status)

There is no widely published public exploit script at the time of disclosure.
The vulnerability is trivial to exploit for anyone familiar with web authentication flows.
This is a logic flaw, meaning attackers do not need special tooling.

Because of the high risk of misuse, weaponized PoC code should not be publicly released. Defensive testing should be performed only in controlled environments.

Indicators of Exploitation

Behavioral red flags

Session creation without a corresponding login event
Sudden access to an account from a new IP or device
One client creating sessions for multiple different email addresses
Admin account activity without recent admin login

Detection Strategy

Log Sources to Monitor

Application logs (Node.js / Next.js)
- Session creation
- Session update events
- JWT callback execution logs
Authentication logs
- Token issuance vs. session identity mismatches
Web server / API gateway logs
- Requests to session-related endpoints
- POST requests with identity parameters
Database audit logs
- New session records
- User-session associations

High-Signal Detection Logic

Alert when:

A session is created or updated
AND an email parameter is supplied
AND that email does not match the authenticated token subject
OR there is no prior login event

Example Detection Query

IF request.endpoint CONTAINS "session"
AND request.method == POST
AND request.body.email IS NOT NULL
AND request.body.email != authenticated_user.email
THEN alert "Possible Authentication Bypass"

Defensive Payload Pattern

Security teams may look for identity override attempts, such as:

Requests where email or user fields are client-controlled
Session update requests lacking strong authentication context

MITRE ATT&CK Mapping

T1078 – Valid Accounts
- Attacker gains access by impersonating legitimate users
T1098 – Account Manipulation
- Session identity manipulated without authorization
T1134 – Access Token Manipulation
- Session/JWT trust abused to escalate access

Impact Assessment

Area	Impact
Confidentiality	Complete loss
Integrity	Full account manipulation
Availability	Indirect (data deletion possible)
Compliance	High risk (GDPR, SOC2, HIPAA depending on use)
Business Risk	Account hijacking, data leaks, reputational damage

Incident Response Guidance

If exploitation is suspected

Immediately upgrade to the fixed version
Invalidate all active sessions
Force re-authentication for all users
Review admin account access logs
Notify affected users if required by policy
Rotate secrets if session signing keys were reused elsewhere

Remediation (Required)

Official Fix

Upgrade Cal.com to version 6.0.7 or later

Official patch / advisory link:
https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg

Security Lessons Learned

Never trust client-supplied identity attributes
Session updates must never change identity without re-authentication
JWT callbacks should treat token claims as immutable
Identity changes should always require password or MFA revalidation

Final Risk Statement

CVE-2026-23478 is a textbook example of how a small logic mistake can completely break authentication security.
It does not rely on cryptographic weakness, brute force, or user error — it relies on trusting the wrong data.

Any unpatched Cal.com instance should be considered compromisable.