<p>Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.</p>

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.

[CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback

We primarily share information about vulnerabilities in open-source software. While finding vulnerability details can be challenging, simply listen to the information we've curated here.

We deliver updates once a day, every day. We hope this serves as your cyber guardian.

Technology

We primarily share information about vulnerabilities in open-source software. While finding vulnerability details can be challenging, simply listen to the information we've curated here. We deliver updates once a day, every day. We hope this serves as your cyber guardian.

Share [CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback

Sign up to save your podcasts

[CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback

[CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback