PT-2026-2806 · Cal.Com · Cal.Com
Jaydns
·
Published
2026-01-13
·
Updated
2026-05-24
·
CVE-2026-23478
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Cal.com versions 3.1.6 through 6.0.6
Description
Cal.com, an open-source scheduling software, has a critical flaw in a custom NextAuth JWT callback. This issue allows attackers to gain full authenticated access to any user's account by supplying a target email address via the
session.update() function. The vulnerability bypasses protections at the session token level, potentially enabling account takeover, including access to bookings, integrations, organizational access, billing, and administrative privileges. Approximately 7,000 instances are potentially affected. The issue allows attackers to overwrite identity fields during the session.update() process and impersonate any user. Two-factor authentication and identity providers do not prevent this post-authentication session hijack. The vulnerability is related to unvalidated email input in the session.update() function.Recommendations
Cal.com versions 3.1.6 through 6.0.6 must be upgraded to version 6.0.7 or later to resolve this issue.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Cal.Com