Description
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
Published: 2026-01-13
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Cal.com's custom NextAuth JWT callback. An attacker can supply any email address to the session.update() function without validation, allowing them to assume the identity of any user. This bypasses authentication and grants full access to that account, enabling the attacker to view or modify confidential data, schedule appointments, and potentially impersonate the user in future interactions. The underlying weakness aligns with CWE‑602 and CWE‑639.

Affected Systems

The flaw affects Cal.com versions ranging from 3.1.6 through 6.0.6. The open‑source scheduling platform is used by organizations relying on secure user authentication. Version 6.0.7 and later include the fix that validates the email prior to updating the session.

Risk and Exploitability

The CVSS score of 10 marks this as a critical flaw. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because no special conditions are required beyond sending a crafted request to the JWT callback, an attacker with network access could exploit the issue. The lack of input validation makes this a straightforward authentication bypass.

Generated by OpenCVE AI on April 18, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Cal.com 6.0.7 or later, which implements proper email validation in the JWT callback.
  • If upgrading is not immediately possible, remove or restrict the custom JWT callback to enforce strict email verification before session updates.
  • Immediately audit accounts that might have been accessed via the flaw, invalidate suspected tokens, and reset passwords.

Generated by OpenCVE AI on April 18, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cal:cal.com:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 14 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Cal
Cal cal.com
Vendors & Products Cal
Cal cal.com

Tue, 13 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
Title Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback
Weaknesses CWE-602
CWE-639
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L'}

Subscriptions

Cal Cal.com
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T16:56:25.582Z

Reserved: 2026-01-13T15:47:41.627Z

Link: CVE-2026-23478

cve-icon Vulnrichment

Updated: 2026-01-14T16:56:22.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T22:16:08.093

Modified: 2026-02-03T19:29:07.787

Link: CVE-2026-23478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses