Cal.com NextAuth JWT Session Update Authentication Bypass (CVE-2026-23478)
A critical authentication bypass in the Cal.com open-source scheduling platform allows remote attackers to hijack arbitrary user accounts by abusing a flaw in a custom NextAuth JWT callback used during session updates. Tracked as CVE-2026-23478 (reported as CVSS 10.0), the issue affects Cal.com versions >= 3.1.6 and < 6.0.7 and is exploitable over the network with minimal prerequisites—primarily knowledge of a victim’s email address.
The weakness occurs when the session trigger is set to "update", where Cal.com improperly accepts client-controlled identity fields and writes them into the JWT without server-side validation (mapped to issues such as CWE-602 and CWE-639). An attacker can send a single API call like session.update({ email: "victim@example.com" }) to produce a manipulated token that retains the attacker’s sub but swaps in the victim’s email; subsequent requests are treated as the victim because the application looks up users using the attacker-controlled token.email field. Successful exploitation yields full access to victim data and capabilities (bookings, event types, integrations, org membership, billing, and potentially admin privileges), and 2FA/external IdP associations do not mitigate because the compromise occurs at the session token level; Cal.com 6.0.7+ is cited as containing the fix.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Cal.com publicly discloses critical auth bypass vulnerability
On January 15, 2026, reports detailed CVE-2026-23478 as a critical Cal.com vulnerability that allows attackers to hijack accounts and bypass protections such as 2FA and external identity providers via a single session.update API call. The disclosure described impact including access to bookings, event types, billing data, organization memberships, integrations, and possible admin privileges.
Cal.com releases version 6.0.7 to fix CVE-2026-23478
Cal.com remediated the issue for self-hosted deployments in version 6.0.7. Users running affected versions were advised to upgrade to 6.0.7 or later to prevent authentication bypass and full account takeover.
Cal.com patches hosted service immediately after discovery
Cal.com said its official hosted service was patched immediately upon discovery of the vulnerability. The company also stated there was no indication of exploitation in the wild.
Cal.com flaw affects versions 3.1.6 through 6.0.6
A critical authentication bypass vulnerability, later tracked as CVE-2026-23478, was present in self-hosted Cal.com versions 3.1.6 through 6.0.6. The flaw stemmed from a custom NextAuth JWT callback that trusted client-controlled identity fields during session updates, enabling account takeover with only a victim's email address.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical Cal.com Vulnerability Let Attackers bypass authentication and hijack any user account
cybersecuritynews.com
Open sourceOne API Call to Hijack: Critical Cal.com Flaw (CVE-2026-23478, CVSS 10) Bypasses 2FA
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical JWT Forgery Flaw in Postiz Enables SUPERADMIN Takeover
A critical vulnerability in **Postiz** allows any authenticated user to escalate privileges to **SUPERADMIN** by forging JWTs through the application's **Skool integration callback**. Tracked as **`CVE-2026-48781`** and **`GHSA-j77w-h625-56q2`**, the flaw stems from attacker-controlled JSON being signed into a session-like token with the application's `JWT_SECRET`, while authentication logic trusted the token's claims without reloading the user record from the database. The bug affects Postiz versions prior to **`2.21.8`** and enables cross-tenant takeover, arbitrary organization impersonation, full access across the affected instance, exposure of all registered users, and the ability to post through victims' connected social media accounts. The issue is rated **CVSS 9.9 (Critical)**, was verified and patched by the vendor, and defenders are advised to upgrade to **`2.21.8`**, rotate JWT secrets if compromise is suspected, and review logs for impersonation or unauthorized access activity.
Jun 29, 2026
Critical Cisco Webex SSO Flaw Allowed Remote User Impersonation
Cisco disclosed a critical certificate validation vulnerability in cloud-based **Webex Services** that could let an unauthenticated remote attacker bypass authentication and impersonate legitimate users in environments using single sign-on through **Webex Control Hub**. The flaw, tracked as `CVE-2026-20184` and rated **CVSS 9.8**, stems from improper certificate validation in the SSO implementation (`CWE-295`), which could cause malicious authentication tokens to be accepted as valid. Cisco said it patched the backend cloud service, but affected organizations must also manually upload a new **SAML certificate** for their Identity Provider in Webex Control Hub to fully remediate the issue. The company said there are **no workarounds**, warned that customers who do not update their SAML certificates may remain exposed and could face service disruption, and added that the vulnerability was found during internal security testing with **no known public exploitation** reported at disclosure.
Jun 29, 2026
Authentication Bypass in pac4j-jwt via Forged JWE/PlainJWT Claims
A **maximum-severity authentication bypass** was disclosed in *pac4j*’s JWT component (*pac4j-jwt*), tracked as **CVE-2026-29000**, affecting a widely used Java security engine embedded across many downstream software packages. The issue is a **logic flaw** that enables attackers to bypass authentication controls by crafting tokens/claims in a way that defeats expected verification, raising concern because exploitation can be relatively straightforward and the library’s transitive use complicates exposure tracking and patch rollout across dependent applications. Public **proof-of-concept (PoC)** code is available, and reporting indicates an attacker who can obtain a target server’s **RSA public key** (often publicly accessible) can forge a **JWE-wrapped PlainJWT** containing arbitrary `sub` and role claims to bypass signature verification and authenticate as any user, including administrators. The pac4j maintainer disclosed the defect and released patched versions shortly after private reporting; while there were no confirmed in-the-wild exploits at the time of reporting, defenders should expect downstream vendors and application owners to issue their own advisories and updates as they assess inherited risk from bundled pac4j versions.
Jun 29, 2026