Share
## https://sploitus.com/exploit?id=08297B8D-5FD1-59EC-957D-CEE89E59EC70
# ๐Ÿ” CVE-2026-23478 โ€” Critical Authentication Bypass

![Critical cal com Vulnerability Let Attackers Bypass Authentication Via Fake TOTP Codes   (1)](https://github.com/user-attachments/assets/99d3e27d-b32b-478a-bc51-177b110ad5cf)

> **Severity:** ๐Ÿ”ด *Critical*
> **CVSS v4:** **10.0 / 10**
> **Published:** January 13, 2026

---

## ๐Ÿง  At a Glance

A **critical authentication bypass** vulnerability in **Cal.com** allows attackers to **fully impersonate any user**โ€”no password required.

---

## ๐ŸŽฏ Affected Software

* **Product:** Cal.com (open-source scheduling platform)
* **Vulnerable Versions:** `3.1.6 โ†’ 6.0.6`
* **Patched Version:** โœ… `6.0.7+`

---

## ๐Ÿงฉ Root Cause

The issue stems from **improper server-side validation** in a custom **NextAuth JWT callback**.

### What went wrong?

* The backend **trusted client-supplied data**
* Specifically during `session.update()`
* Attackers could supply **any email address**
* The server accepted it as legitimate

๐Ÿ›‘ This violates basic authentication and authorization boundaries.

---

## ๐Ÿ’ฅ Impact

An unauthenticated attacker can:

* ๐Ÿ‘ค Log in as **any user**
* ๐Ÿ“… View & modify private schedules
* โŒ Cancel or create bookings
* ๐Ÿ”— Abuse connected integrations
* ๐Ÿง  Pivot to deeper system access

**No credentials. No user interaction. Full account takeover.**

---

## ๐Ÿงจ Attack Characteristics

| Factor              | Value                    |
| ------------------- | ------------------------ |
| Attack Vector       | Network                  |
| Privileges Required | None                     |
| User Interaction    | None                     |
| Exploit Complexity  | Low                      |
| Impact              | Total account compromise |

---

## ๐Ÿงท Vulnerability Classifications

* **CWE-602:** Client-Side Enforcement of Server-Side Security
* **CWE-639:** Authorization Bypass via User-Controlled Key

---

## ๐Ÿ› ๏ธ Mitigation (Do This Now)

### โœ… Immediate Actions

1. **Upgrade Cal.com to `v6.0.7` or later**
2. **Rotate session tokens & auth secrets**
3. **Audit logs** for suspicious session updates
4. **Review custom NextAuth logic**

   * Never trust client-provided identity fields
   * Enforce strict server-side checks

---

## ๐Ÿงฏ Security Takeaway

> **Scheduling systems are identity systems.**
> Treat them with the same security rigor as authentication providers.

---