Primary

Context

Cal.com NextAuth JWT Callback Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Cal.com scheduling software versions 3.1.6 prior to 6.0.7, within a custom NextAuth JWT callback. This vulnerability allows attackers to gain full authenticated access to any user's account by sending a target email address through session.update(). The JWT is then modified to include the attacker's ID and the victim's email, enabling access to the victim's account and associated data.

Impact

Exploitation of this vulnerability allows attackers to gain full authenticated access to any user's account, including access to bookings, event types, integrations, organization memberships, billing information, and admin privileges, if applicable.

Remediation

Users can update to Cal.com version 6.0.7 or later to address this vulnerability.

Added: Jan 13, 2026, 10:19 PM

Updated: Jan 13, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

7.5

exploitability

8.3

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

7.5

exploitability

8.3

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Cal.com NextAuth JWT Callback Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Cal.com

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating