CVE-2026-23478 is a critical security vulnerability identified in the open-source scheduling software cal.com, affecting versions from 3.1.6 up to but not including 6.0.7. The root cause lies in a custom NextAuth JWT callback implementation that improperly enforces security controls on the client side rather than the server side. Specifically, the session.update() function accepts a target email address parameter without adequate server-side validation, enabling an attacker to impersonate any user by supplying their email address. This bypasses authentication mechanisms, granting the attacker full authenticated access to the victim's account. The vulnerability is classified under CWE-602 (Client-Side Enforcement of Server-Side Security) and CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 vector indicates the vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and results in high confidentiality, integrity, and availability impacts (VC:H, VI:H, VA:H). The scope is high (S:H), meaning the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are reported in the wild yet, the critical severity and ease of exploitation make it a significant threat. The vulnerability is resolved in cal.com version 6.0.7 by enforcing proper server-side validation of session updates and restricting unauthorized email parameter manipulation.

For European organizations, this vulnerability poses a severe risk as it allows attackers to fully compromise user accounts without authentication or user interaction. Organizations relying on cal.com for scheduling and calendar management could face unauthorized access to sensitive personal and business information, leading to data breaches, privacy violations, and potential disruption of business operations. Attackers could manipulate schedules, access confidential meeting details, or impersonate users to conduct further attacks such as social engineering or lateral movement within networks. The high severity and ease of exploitation increase the likelihood of targeted attacks, especially against sectors with high dependency on scheduling tools, such as healthcare, legal, finance, and government agencies. Additionally, compromised accounts could be leveraged to bypass other security controls or gain access to integrated third-party services. The reputational damage and regulatory consequences under GDPR for failing to protect personal data could be substantial.

European organizations using cal.com versions between 3.1.6 and 6.0.7 should immediately upgrade to version 6.0.7 or later where the vulnerability is patched. Until patching is possible, organizations should implement strict access controls and monitor for unusual session update activities, particularly those involving email address changes. Employ network-level protections such as Web Application Firewalls (WAFs) with custom rules to detect and block suspicious session.update() requests that attempt to manipulate email parameters. Conduct thorough audits of user session management and authentication flows to ensure no other client-side enforcement weaknesses exist. Educate development teams on the importance of server-side validation for all security-critical operations. Additionally, implement multi-factor authentication (MFA) to reduce the impact of compromised credentials. Regularly review logs for anomalous access patterns and consider isolating cal.com instances to minimize lateral movement in case of compromise.