Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3.
AnalysisAI
User enumeration via Nextcloud Calendar's attendee suggestion endpoint affects authenticated users on versions 5.5.13-5.5.16 and 6.2.0-6.2.2. The searchAttendee controller method in ContactController.php called the contacts manager search API without passing the instance's configured sharing restriction parameters - meaning enumeration-limiting settings (shareapi_allow_share_dialog_user_enumeration, shareapi_only_share_with_group_members, group-scoped restrictions) enforced on all other sharing endpoints were silently bypassed here. An authenticated low-privilege attacker can probe the endpoint with partial name or email strings to reconstruct the full user directory, disclosing usernames and email addresses that administrators had intentionally restricted. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed).
Technical ContextAI
The vulnerable code resides in lib/Controller/ContactController.php within the Nextcloud Calendar application (a separate installable app on top of the Nextcloud platform). Prior to the fix, searchAttendee() invoked $this->contactsManager->search($search, ['FN', 'EMAIL'], ['enumeration' => true]) - hardcoding enumeration: true and omitting the full set of sharing API config checks. The fix injects IConfig and IGroupManager dependencies and reads six core configuration keys (shareapi_allow_share_dialog_user_enumeration, shareapi_only_share_with_group_members, shareapi_restrict_user_enumeration_to_group, shareapi_restrict_user_enumeration_full_match, and related sub-settings) before filtering results, mirroring the logic applied to the main sharing dialog. The root cause class is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): a privileged access-control policy existed and was enforced elsewhere, but was not applied to this endpoint, creating an inconsistency that leaks data. The CPE cpe:2.3:a:nextcloud:security-advisories:*:*:*:*:*:*:*:* reflects the Nextcloud security advisory namespace rather than a narrowed product CPE; the precise affected artifact is the nextcloud/calendar composer package.
RemediationAI
Vendor-released patches are available: upgrade Nextcloud Calendar to version 5.5.17 (for the 5.x branch) or 6.2.3 (for the 6.x branch). The fix is implemented in PR #8197 (https://github.com/nextcloud/calendar/pull/8197), which has been merged and released. Administrators should update the Calendar app via the Nextcloud App Store or Composer. If immediate upgrade is not feasible, a compensating control is to disable the Nextcloud Calendar app entirely until patching is possible - this removes the vulnerable endpoint at the cost of calendar functionality for all users. Alternatively, if the organization's Nextcloud instance does not rely on user enumeration restrictions (i.e., shareapi_allow_share_dialog_user_enumeration is already set to 'yes' by policy), the practical confidentiality impact is negligible and the patch can be scheduled for the next maintenance window without emergency urgency. Restricting network access to the Nextcloud instance to trusted users only would reduce exposure but is not a targeted mitigiation. Vendor advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r697-74m9-gvf2.
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk co
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Rated critical severity (CVSS 9.8),
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
NextCloud Cookbook is a recipe library app. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,
Nextcloud server is an open source home cloud implementation. Rated high severity (CVSS 8.8), this vulnerability is remo
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowi
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution vi
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. Rated high
Improper access control in Nextcloud Deck 0.8.0 allowed an attacker to reshare boards shared with them with more permiss
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL confi
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33711