Home > Vulnerability Database > CVE-2026-23478

Mend.io Vulnerability Database

CVE-2026-23478

Good to know:

Date: January 13, 2026

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.

Severity Score

10.0

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23478

Url: https://github.com/calcom/cal.com/security/advisories/GHSA-7hg4-x4pr-3hrg

Url: https://www.mend.io/vulnerability-database/CVE-2026-23478

Severity Score

10.0

Weakness Type (CWE)

Authorization Bypass Through User-Controlled Key

CWE-639

Client-Side Enforcement of Server-Side Security

CWE-602

Top Fix

Upgrade Version

Upgrade to version https://github.com/calcom/cal.com.git - v6.0.7

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23478

Good to know:

Date: January 13, 2026

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?