CVE-2026-23478 affects cal.com, an open-source scheduling platform widely used for appointment management. The vulnerability stems from improper authorization enforcement in a custom NextAuth JWT callback mechanism. Specifically, versions from 3.1.6 to before 6.0.7 allow an attacker to manipulate the session.update() function by supplying an arbitrary target email address, thereby bypassing server-side authorization checks and gaining full authenticated access to any user's account without needing credentials or user interaction. This is a classic example of CWE-602 (Client-Side Enforcement of Server-Side Security) combined with CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw enables attackers to impersonate users, access sensitive scheduling data, modify appointments, and potentially escalate privileges within the application. The vulnerability has a CVSS 4.0 score of 10.0, reflecting its critical impact on confidentiality, integrity, and availability, with an attack vector that is network-based, requires no privileges or user interaction, and affects all instances running vulnerable versions. Although no known exploits are currently reported in the wild, the ease of exploitation and severity necessitate urgent remediation. The issue is resolved in cal.com version 6.0.7 by enforcing proper server-side authorization checks and eliminating reliance on client-side validation for session updates.

For European organizations, this vulnerability poses a severe risk as it allows attackers to fully compromise user accounts on cal.com instances, leading to unauthorized access to sensitive scheduling information, potential data leakage, and disruption of business operations. Organizations relying on cal.com for internal or customer-facing scheduling could face privacy violations under GDPR due to unauthorized data access. The ability to impersonate users without authentication or interaction increases the likelihood of automated or targeted attacks, potentially enabling lateral movement within networks if cal.com is integrated with other internal systems. The critical severity and network exploitability mean that attackers can remotely compromise systems at scale, impacting availability and trust in organizational services. Additionally, compromised accounts could be leveraged for social engineering or phishing campaigns targeting European users. The reputational damage and regulatory consequences for mishandling personal data could be significant, especially in sectors like healthcare, finance, and public services where scheduling data is sensitive.

European organizations should immediately upgrade all cal.com deployments to version 6.0.7 or later, where the vulnerability is patched. Until upgrades are completed, implement strict network segmentation and firewall rules to restrict access to cal.com instances only to trusted internal networks or VPN users. Conduct thorough audits of user account activity and session management logs to detect any unauthorized access attempts. Disable or restrict the use of session.update() functionality if possible, or apply custom server-side validation to ensure email addresses cannot be arbitrarily set by clients. Employ multi-factor authentication (MFA) for all user accounts to reduce the impact of compromised credentials. Monitor threat intelligence feeds for emerging exploit attempts targeting this vulnerability. Finally, review and enhance authorization logic in custom integrations with cal.com to prevent similar client-side enforcement issues.