CVE-2026-23478

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23478

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23478.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23478

Aliases

GHSA-7hg4-x4pr-3hrg

Published

2026-01-13T21:37:35.541Z

Modified

2026-02-04T21:34:33.009377Z

Severity

10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L CVSS Calculator

Summary

Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback

Details

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-602",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23478.json"
}

References

Affected packages

Git / github.com/calcom/cal.com

Affected ranges

Type: GIT
Repo: https://github.com/calcom/cal.com
Events: Introduced

a9344115d21010424e562509bc763d0b461dac29

Fixed

0099c72f53957a1b65163f8176eeb718ad3664f8

Affected versions

@calcom/atoms@1.*

@calcom/atoms@1.0.110

@calcom/atoms@1.0.112

@calcom/atoms@1.0.114

@calcom/atoms@1.1.0

@calcom/atoms@1.1.2

@calcom/atoms@1.10.0

@calcom/atoms@1.11.0

@calcom/atoms@1.12.1

@calcom/atoms@1.2.0

@calcom/atoms@1.3.0

@calcom/atoms@1.3.1

@calcom/atoms@1.4.0

@calcom/atoms@1.5.0

@calcom/atoms@1.6.0

@calcom/atoms@1.7.0

@calcom/atoms@1.7.1

@calcom/atoms@1.8.0

@calcom/atoms@1.9.0

v3.*

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v3.2.1

v3.2.10

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.7.1

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.4.0

v3.4.0-rc1

v3.4.1

v3.4.10

v3.4.2

v3.4.3

v3.4.4

v3.4.4-rc1

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.7.0

v3.7.1

v3.7.10

v3.7.11

v3.7.12

v3.7.13

v3.7.14

v3.7.15

v3.7.16

v3.7.17

v3.7.18

v3.7.19

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

v3.7.7

v3.7.8

v3.7.9

v3.8.0

v3.8.0-rc1

v3.8.1

v3.8.2

v3.8.3

v3.8.4

v3.8.5

v3.8.6

v3.8.7

v3.8.8

v3.8.9

v3.9.0

v3.9.1

v3.9.2

v3.9.3

v3.9.4

v3.9.5

v3.9.6

v3.9.7

v3.9.8

v3.9.9

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.1

v4.1.10

v4.1.11

v4.1.12

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v4.4.7

v4.4.8

v4.4.9

v4.5.0

v4.5.1

v4.5.10

v4.5.11

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.5.7

v4.5.8

v4.5.9

v4.6.0

v4.6.1

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.6.17

v4.6.18

v4.6.19

v4.6.2

v4.6.20

v4.6.21

v4.6.22

v4.6.23

v4.6.24

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.9

v4.7.0

v4.7.1

v4.7.10

v4.7.11

v4.7.12

v4.7.13

v4.7.14

v4.7.15

v4.7.16

v4.7.17

v4.7.18

v4.7.19

v4.7.2

v4.7.20

v4.7.21

v4.7.22

v4.7.23

v4.7.24

v4.7.25

v4.7.3

v4.7.4

v4.7.5

v4.7.6

v4.7.7

v4.7.8

v4.7.9

v4.8.0

v4.8.1

v4.8.10

v4.8.11

v4.8.12

v4.8.13

v4.8.14

v4.8.15

v4.8.16

v4.8.18

v4.8.19

v4.8.2

v4.8.3

v4.8.4

v4.8.5

v4.8.6

v4.8.7

v4.8.8

v4.8.9

v4.9.0

v4.9.1

v4.9.1-rc1

v4.9.10

v4.9.11

v4.9.12

v4.9.13

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v4.9.6

v4.9.7

v4.9.8

v4.9.9

v5.*

v5.0.0

v5.0.1

v5.0.10

v5.0.11

v5.0.12

v5.0.13

v5.0.14

v5.0.15

v5.0.17

v5.0.18

v5.0.19

v5.0.2

v5.0.20

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v5.1.0

v5.1.1

v5.1.10

v5.1.11

v5.1.12

v5.1.13

v5.1.14

v5.1.15

v5.1.16

v5.1.17

v5.1.18

v5.1.19

v5.1.2

v5.1.20

v5.1.21

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.1.9

v5.2.0

v5.2.1

v5.2.10

v5.2.11

v5.2.12

v5.2.13

v5.2.14

v5.2.15

v5.2.16

v5.2.17

v5.2.2

v5.2.3

v5.2.4

v5.2.5

v5.2.6

v5.2.7

v5.2.8

v5.2.9

v5.3.0

v5.3.1

v5.3.10

v5.3.11

v5.3.12

v5.3.13

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.8

v5.3.9

v5.4.0

v5.4.1

v5.4.10

v5.4.11

v5.4.12

v5.4.13

v5.4.14

v5.4.15

v5.4.16

v5.4.17

v5.4.19

v5.4.2

v5.4.20

v5.4.3

v5.4.4

v5.4.5

v5.4.6

v5.4.7

v5.4.8

v5.4.9

v5.5.0

v5.5.1

v5.5.10

v5.5.11

v5.5.12

v5.5.13

v5.5.14

v5.5.15

v5.5.16

v5.5.17

v5.5.18

v5.5.2

v5.5.3

v5.5.4

v5.5.5

v5.5.6

v5.5.7

v5.5.8

v5.5.9

v5.6.0

v5.6.1

v5.6.10

v5.6.11

v5.6.12

v5.6.13

v5.6.14

v5.6.15

v5.6.16

v5.6.17

v5.6.18

v5.6.19

v5.6.2

v5.6.20

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.6.7

v5.6.8

v5.6.9

v5.7.0

v5.7.1

v5.7.10

v5.7.11

v5.7.12

v5.7.2

v5.7.3

v5.7.4

v5.7.5

v5.7.6

v5.7.7

v5.7.8

v5.7.9

v5.8.0

v5.8.1

v5.8.10

v5.8.11

v5.8.12

v5.8.13

v5.8.14

v5.8.3

v5.8.4

v5.8.5

v5.8.6

v5.8.7

v5.8.8

v5.8.9

v5.9.0

v5.9.1

v5.9.10

v5.9.11

v5.9.12

v5.9.13

v5.9.14

v5.9.15

v5.9.2

v5.9.3

v5.9.4

v5.9.5

v5.9.6

v5.9.7

v5.9.8

v5.9.9

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23478.json"