How broadly exploitable is this vulnerability?

The flaw is broadly exploitable wherever an attacker can reach the authentication flow and trigger `session.update()` or a similar mechanism that passes arbitrary emails into the JWT callback. No prior knowledge beyond a victim's email address and access to the application is typically required.

Does an attacker need valid credentials for the target account?

No. The attacker needs the ability to interact with the application and supply an email in the vulnerable session update flow. The vulnerability allows them to bind their session to any account identified by that email without possessing the actual user's password or OAuth tokens.

What is the safest general fix pattern for this kind of bug?

The safest pattern is to strictly bind sessions to a server-verified, immutable user identifier and ensure that any identity-related changes require re-authentication or strong server-side verification. Session update operations should only modify non-identity attributes and must never allow switching the underlying account.

Severity:

CRITICAL RISK

(9.8)

Improper Session Handling / Insecure JWT Callback (CWE-639) in Cal.com Authentication

CVE-2026-23478

Published:

Jan 13, 2026

Status:

Analyzed

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-306

CRITICAL RISK

CRITICAL

(9.8)

Missing Authentication for Forgot-Password Email Change API (CWE-306)

Account Takeover / Loss of Account Control

February 17, 2026

CWE-77;CWE-78

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in node-sonos-http-api TTS Provider for macOS

Remote Code Execution on the Server Host

February 17, 2026

Vulnerability Type

Category:

Broken Authentication and Session Management

CWE:

CWE-602;CWE-639

Impact:

Full Account Takeover / Authentication Bypass

Severity:

CRITICAL RISK

(9.8)

CVSS Version:

3.1

Vulnerability Type

Category:

Broken Authentication and Session Management

CWE:

CWE-602;CWE-639

Impact:

Full Account Takeover / Authentication Bypass

Severity:

CRITICAL RISK

(9.8)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Improper Session Handling / Insecure JWT Callback (CWE-639) in Cal.com Authentication

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.8)

Missing Authentication for Forgot-Password Email Change API (CWE-306)

HIGH RISK

HIGH

(7.3)

OS Command Injection (CWE-78) in node-sonos-http-api TTS Provider for macOS

Vulnerability Type

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare