What happened
A critical Cal.com authentication bypass lets attackers take over user accounts because a flaw in Cal.com’s NextAuth JWT callback mechanism (tracked as CVE‑2026‑23478) allows malicious actors to manipulate session tokens and authenticate as any user without proper validation. The vulnerability affects self‑hosted versions from 3.1.6 up to but not including 6.0.7, where improper handling of client‑controlled identity fields during session updates permits an attacker to embed arbitrary email identifiers into a JWT; subsequent API calls then treat the manipulated session as valid, granting full access to account data, bookings, administrative controls, billing information, and integrations. The flaw does not depend on multi‑factor authentication or external identity providers because compromise occurs after initial token creation, and patches are available in version 6.0.7 or later.
Who is affected
Operators of self‑hosted Cal.com instances are directly impacted if unpatched; compromised accounts could extend to organizational admin roles and sensitive scheduling data.
Why CISOs should care
Authentication bypass in calendaring and scheduling platforms can lead to account takeover, business disruption, unauthorized access to meetings and integrations, and broader lateral movement risks within enterprise ecosystems.
3 practical actions
- Upgrade Cal.com: Immediately update self‑hosted instances to version 6.0.7 or later.
- Audit active sessions: Invalidate existing tokens and force re‑authentication after patching.
- Monitor account access: Track anomalous login and API activity post‑remediation.