Authentication Bypass Vulnerability in Cal.com Scheduling Software

CVE-2026-23478

What is CVE-2026-23478?

CVE-2026-23478 is an authentication bypass vulnerability found in Cal.com, an open-source scheduling software widely used in various organizations for managing appointments and meetings. This vulnerability affects versions from 3.1.6 to before 6.0.7, enabling an attacker to gain unauthorized access to any user's account simply by providing a target email address through the session.update() mechanism. The flaw lies in a custom NextAuth JWT callback, which fails to correctly validate authentication requests. As a result, organizations utilizing this software could face significant security risks, including unauthorized access to sensitive user data and potential misuse of account privileges, undermining the trust in their scheduling systems.

Potential impact of CVE-2026-23478

1. Unauthorized Account Access: The primary impact of CVE-2026-23478 is the ability for attackers to bypass authentication and gain full access to user accounts. This can lead to unauthorized actions being taken on behalf of legitimate users, creating security and privacy concerns.

2. Data Breach Risks: The vulnerability can expose sensitive information stored within user accounts. If exploited, attackers could retrieve personal or organizational data, which could be used for identity theft, phishing attacks, or further exploitation.

3. Reputational Damage: Organizations affected by this vulnerability may suffer reputational harm if users' trust is eroded due to unauthorized access incidents. This can lead to a loss of customers, diminished brand value, and potential legal ramifications related to data protection regulations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References