Share
## https://sploitus.com/exploit?id=08297B8D-5FD1-59EC-957D-CEE89E59EC70
# ๐ CVE-2026-23478 โ Critical Authentication Bypass

> **Severity:** ๐ด *Critical*
> **CVSS v4:** **10.0 / 10**
> **Published:** January 13, 2026
---
## ๐ง At a Glance
A **critical authentication bypass** vulnerability in **Cal.com** allows attackers to **fully impersonate any user**โno password required.
---
## ๐ฏ Affected Software
* **Product:** Cal.com (open-source scheduling platform)
* **Vulnerable Versions:** `3.1.6 โ 6.0.6`
* **Patched Version:** โ
`6.0.7+`
---
## ๐งฉ Root Cause
The issue stems from **improper server-side validation** in a custom **NextAuth JWT callback**.
### What went wrong?
* The backend **trusted client-supplied data**
* Specifically during `session.update()`
* Attackers could supply **any email address**
* The server accepted it as legitimate
๐ This violates basic authentication and authorization boundaries.
---
## ๐ฅ Impact
An unauthenticated attacker can:
* ๐ค Log in as **any user**
* ๐
View & modify private schedules
* โ Cancel or create bookings
* ๐ Abuse connected integrations
* ๐ง Pivot to deeper system access
**No credentials. No user interaction. Full account takeover.**
---
## ๐งจ Attack Characteristics
| Factor | Value |
| ------------------- | ------------------------ |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Exploit Complexity | Low |
| Impact | Total account compromise |
---
## ๐งท Vulnerability Classifications
* **CWE-602:** Client-Side Enforcement of Server-Side Security
* **CWE-639:** Authorization Bypass via User-Controlled Key
---
## ๐ ๏ธ Mitigation (Do This Now)
### โ
Immediate Actions
1. **Upgrade Cal.com to `v6.0.7` or later**
2. **Rotate session tokens & auth secrets**
3. **Audit logs** for suspicious session updates
4. **Review custom NextAuth logic**
* Never trust client-provided identity fields
* Enforce strict server-side checks
---
## ๐งฏ Security Takeaway
> **Scheduling systems are identity systems.**
> Treat them with the same security rigor as authentication providers.
---