CRITICAL🇵🇱 Wersja polska

CVE-2026-23478

CVSS 10.0v4.0pub. 2026-01-13upd. 2026-02-03

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.

🤖 AI Analysis
How it works

The vulnerability results from incorrect client-side implementation (CWE-602) and insufficient user identity verification during session updates (CWE-639). An attacker can invoke the session.update() function and provide the email address of any victim as a parameter. The custom JWT callback incorrectly processes this update, granting the attacker full authenticated access to the account associated with the provided email address.

Impact

The attacker gains full access to any user's Cal.com account, enabling them to read and modify personal data, calendars, and meetings of the victim, as well as potential further actions on behalf of the compromised account.

Mitigation & patch

Cal.com must be urgently updated to version 6.0.7 or later, in which the vulnerability has been fixed by the manufacturer.

Who is affected

Cal.com versions 3.1.6 through 6.0.6 (before 6.0.7)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Cal Cal.com

    APP
    Cal
    3.1.6 – 6.0.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-66489CRITICAL9.9PL ✓ten sam produkt

Cal.com: Pominięcie weryfikacji hasła przy logowaniu z TOTP

CVE-2023-1647HIGH8.8ten sam produkt

Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.

CVE-2023-37919MEDIUM6.5ten sam produkt

Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account ...