[CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback

[CVE-2026-23478]Authentication Bypass via Unvalidated Email in Custom JWT Callback Description Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7. Details The custom NextAuth JWT callback accepts client-controlled identity fields when trigger === "update", writing them directly into the JWT without validation. When an attacker calls session.update({ email: "[email protected]" }), the JWT is updated to { sub: attackerId, email: "[email protected]" }. Subsequent requests using this modified JWT authenticate as the victim because the application looks up users by the now-attacker-controlled token.email field. The session is built entirely from the victim's database record, granting full authenticated access. Impact Attackers gain full authenticated access to any user's account by knowing only their email address. Access to user's bookings, event types, integrations, organization memberships, billing information, and admin privileges (if applicable) is immediately granted. The attack requires only a single API call and security features such as 2FA, or being associated with an external IdP do not prevent this attack. Cal.com hosted deployments were patched immediately upon discovery. We have no indication of exploitation.