One API Call to Hijack: Critical Cal.com Flaw (CVE-2026-23478, CVSS 10) Bypasses 2FA
Ddos 
A critical security vulnerability has been found in Cal.com, the popular open-source scheduling platform used by individuals and enterprises worldwide. Tracked as CVE-2026-23478, the flaw carries the rare and dreaded CVSS severity score of 10.0, indicating a critical issue that is easy to exploit and devastating in its impact.
The vulnerability allows a remote attacker to completely bypass authentication and hijack any user account simply by knowing their email address.
The core of the issue lies in how the platform handles user sessions. According to the advisory, the vulnerability stems from a “custom NextAuth JWT callback” that failed to validate input during session updates.
In a secure system, identity fields like an email address are immutable or strictly verified. However, in vulnerable versions of Cal.com, the system accepted “client-controlled identity fields” when the session trigger was set to “update”.
This oversight created a massive loophole. An attacker could simply issue a single API call—session.update({ email: “victim@example.com” })—and the server would obediently rewrite the JSON Web Token (JWT) to associate the attacker’s session with the victim’s email address.
Once the token is modified, the system authenticates the attacker as the victim. “Subsequent requests using this modified JWT authenticate as the victim because the application looks up users by the now-attacker-controlled token.email field”.
The impact is total compromise. The attacker gains immediate access to the victim’s bookings, event types, billing information, and even organization memberships.
Perhaps most alarmingly, standard security defenses are rendered useless. Because the system believes the user is already authenticated via a valid session token, “security features such as 2FA, or being associated with an external IdP do not prevent this attack”.
The vulnerability affects self-hosted deployments running versions 3.1.6 through 6.0.6.
The Cal.com team has released version 6.0.7 to fix the flaw. Users running their own instances are urged to upgrade immediately. For customers using the official hosted version of Cal.com, the platform was “patched immediately upon discovery,” and there is “no indication of exploitation” in the wild.
Donate